Joyent Security and Compliance

Joyent has architected a highly secure cloud infrastructure for deployment of a wide range of production applications and sensitive data. In addition to maintaining key industry certifications, compliances, reports, and attestations, we provide unique service offerings to help customers mitigate their risks in the cloud. Working with Joyent our customers can build on top of our services, and be able to achieve and maintain their compliance needs.

This page includes the following sections: overview of Joyent’s security strategy, information on the certifications and independent assessments in our possession, and a FAQ on PCI DSS compliance.

Overview

There are several key elements in our strategy to ensure the security of the Joyent infrastructure:

Certifications and Attestations of Compliance

Joyent holds the following:

  • SOC 1/SSAE 16 report
  • PCI DSS Level 1 compliance
  • Safe Harbor certification
  • Health Insurance Portability and Accountability Act (HIPAA)

Physical Security

Joyent infrastructure is housed within top tier data centers including Equinix and SwitchNap . These data centers are secured with a variety of physical controls to prevent unauthorized access.

Secure Services

Each of our services within the Joyent cloud are architected to be secure, and prevent unauthorized access or usage.

Data Privacy

Joyent strongly recommends that users encrypt their personal or business data within the Joyent cloud, both in production and in backup / storage environments. While data encryption is NOT a default offering in the Joyent Cloud, the Joyent team can recommend a variety of appropriate encryption options that users can implement on top of the Joyent cloud infrastructure

Certifications and Attestations of Compliance

SSAE 16/SOC 1

In accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Joyent has completed a SOC 1 Type 1 report. This audit attests that Joyent’s control objectives are effectively designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is ongoing and we plan to continue our process of periodic audits.

PCI DSS Level 1

An Independent Qualified Security Assessor (QSA) under the Payment Card Industry (PCI) Data Security Standard (DSS) has successfully validated Joyent as a Level 1 service provider. PCI validated services include the Joyent Cloud virtual infrastructure, the Joyent Cloud management environment, and the underlying physical infrastructure.

Joyent does not provide credit card services to its customers. All additional required PCI DSS controls for a customer environment implemented within the Joyent Cloud remain the responsibility of Joyent’s customers. Those controls must be assessed and validated on an individual merchant or service provider basis, as part of the customer’s validation of PCI DSS compliance for the customer’s own report on compliance (ROC).

Safe Harbor Certification Effective February 22, 2103

Joyent recognizes that the European Union ("EU") has an "ominbus" data protection regime established pursuant to the European Data Protection Directive (95/46/EC) (the "Directive") and that Switzerland has adopted a comparable data protection law (together, "European Privacy Laws"). Among other things, the European Privacy Laws generally require "adequate protection" for the transfer of individually identifiable information about end users located in the EU and Switzerland to Joyent's operations in the United States. In connection with providing data hosting and other services to Joyent's clients, Joyent may obtain incidental access to individually identifiable information about Joyent's clients' end users i n the EU and Switzerland ("European End User Data"). Joyent accordingly adheres to the requirements of the US/EU and US/Swiss Safe Harbor Privacy Principles published by the US Department of Commerce ("Safe Harbor") with respect to European End User Data received in the United States. Our clients act as the data controller for any European End User Data received by Joyent in the US. Joyent acts as a data processor on behalf of our clients with respect to such European End User Data, and accordingly only carries out the instructions of such clients with regard to the storage and processing of European End User Data. For more information about Safe Harbor please refer to the US Department of Commerce website at http://www.export.gov/safeharbor/. European End Users may first wish to contact the client with questions regarding European End User Data shared with Joyent, as this may be the most efficient means of addressing such access requests. Any European End User who cannot resolve his or her issue directly with the client or Joyent can contact the local data protection authority for further information and assistance. If you have any questions about our Safe Harbor participation, please contact us as directed at the bottom of this Privacy Policy.

Health Insurance Portability and Accountability Act (HIPAA)

Joyent’s high-performance cloud is compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA).

We provide covered entities subject to HIPAA with a secure environment to manage, update and store protected health information. Joyent signs Business Associate Agreements with customers to validate the integrity of our process systems that facilitate HIPAA compliance.

Contact our customer success team to learn more about how you can leverage the Joyent cloud to ensure ongoing HIPAA compliance.

Security Features

Key Rotation and Changes

Joyent recommends that users rotate or change access keys and certificates on a regular basis to prevent unauthorized access and provide additional security.

Additional Information

Delivering a secure cloud computing platform involves implementing numerous best practices for on-premise infrastructure as well as a host of additional considerations unique to a hosted infrastructure environment.

The Joyent Wiki also provides a wide variety of information and recommendations on best security practices in particular relating to firewalls, isolating networks with VLANs, backup and data encryption. Here are a few key differences for Joyent Cloud with regard to security practices.

  • L2 Isolations – Joyent Cloud users may access separated VLANs providing true Layer 2 separation.
  • Firewalls – Joyent Cloud users may deploy a wide variety of commercial grade proprietary and open source firewalls including Riverbed Stingray (Layer 7 application firewall), IPFilter, SmoothWall (Linux-based firewall), IPTables, and others.
  • Data Encryption – Joyent Cloud deploys local storage for high speed and high reliability. There are no limitations on a customer’s ability to encrypt data.
  • VPNs – Customers wishing to securely access layers of their application tiers not accessible to the public via encrypted means may deploy either SSL or IPSec VPNs. These VPNs can also be used to construct DMZs as needed.
  • Containers: Joyent Cloud uses Containers to isolate compute instances.
    • A container can only see its own network traffic
    • Disk storage is accessed via the ZFS file system and never via raw devices.
    • Each Container enjoys its own file system and cannot see other file systems in the virtual multi-tenant environment. Upon deletion of a Container, the file system is deleted and there is no device path to retrace the contents of that Container.
    • Users have no access to raw memory devices and cannot scan system memory. As such, there is no code path to “break out” of a hypervisor and impact other users.

Questions Regarding Compliance?

Questions regarding compliance may be directed to: compliance@joyent.com.

:

Sign up Now for Instant Cloud Access

Get Started

View PricingSee Benchmarks