Security ComplianceSecurity Compliance

Triton Security and Compliance

Triton is architected to be a highly secure public cloud suitable for hosting a wide range of production applications and sensitive data. In addition to maintaining key industry certifications, compliances, reports, and attestations, we provide customized service offerings to help customers mitigate their risks in the cloud. Working with Triton, our customers can build on top of our services, and be able to achieve and maintain their compliance needs.

Talk to Us About Your Security Requirements

PCI DSS Level 1 compliance

Safe Harbor certification

SOC 1/SSAE 16 report

Health Insurance Portability and Accountability Act (HIPAA)

Overview

Physical Security

Triton infrastructure is housed within top tier data centers, including Equinix and SwitchNap. These data centers are secured with a variety of physical controls to prevent unauthorized access.

Secure Services

Triton services are architected to be secure, and prevent unauthorized access or usage.

Data Privacy

We recommend that users encrypt their personal or business data within Triton, both in production and in backup / storage environments. While data encryption is NOT a default offering in Triton, we can recommend a variety of appropriate encryption options that users can implement on top of Triton infrastructure.

Certifications and Attestations of Compliance

SSAE 16/SOC 1

In accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Joyent has completed a SOC 1 Type 1 report. This audit attests that Joyent's control objectives are effectively designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is ongoing and we plan to continue our process of periodic audits.

PCI DSS Level 1

An Independent Qualified Security Assessor (QSA) under the Payment Card Industry (PCI) Data Security Standard (DSS) has successfully validated Joyent as a Level 1 service provider. PCI validated services include the Triton virtual infrastructure, the Triton management environment, and the underlying physical infrastructure.

Joyent does not provide credit card services to its customers. All additional required PCI DSS controls for a customer environment implemented within Triton remain the responsibility of Joyent's customers. Those controls must be assessed and validated on an individual merchant or service provider basis, as part of the customer’s validation of PCI DSS compliance for the customer’s own report on compliance (ROC).

Safe Harbor Certification Effective February 22, 2013

Joyent recognizes that the European Union ("EU") has an "ominbus" data protection regime established pursuant to the European Data Protection Directive (95/46/EC) (the "Directive") and that Switzerland has adopted a comparable data protection law (together, "European Privacy Laws"). Among other things, the European Privacy Laws generally require "adequate protection" for the transfer of individually identifiable information about end users located in the EU and Switzerland to Joyent's operations in the United States. In connection with providing data hosting and other services to Joyent's clients, Joyent may obtain incidental access to individually identifiable information about Joyent's clients' end users in the EU and Switzerland ("European End User Data"). Joyent accordingly adheres to the requirements of the US/EU and US/Swiss Safe Harbor Privacy Principles published by the US Department of Commerce ("Safe Harbor") with respect to European End User Data received in the United States. Our clients act as the data controller for any European End User Data received by Joyent in the US. Joyent acts as a data processor on behalf of our clients with respect to such European End User Data, and accordingly only carries out the instructions of such clients with regard to the storage and processing of European End User Data. For more information about Safe Harbor please refer to the US Department of Commerce website at export.gov/safeharbor. European End Users may first wish to contact the client with questions regarding European End User Data shared with Joyent, as this may be the most efficient means of addressing such access requests. Any European End User who cannot resolve his or her issue directly with the client or Joyent can contact the local data protection authority for further information and assistance. If you have any questions about our Safe Harbor participation, please contact us as directed at the bottom of this Privacy Policy.

Health Insurance Portability and Accountability Act (HIPAA)

Joyent’s high-performance cloud is compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA). We provide covered entities subject to HIPAA with a secure environment to manage, update and store protected health information. Joyent signs Business Associate Agreements with customers to validate the integrity of our process systems that facilitate HIPAA compliance. Contact our customer success team to learn more about how you can leverage Triton to ensure ongoing HIPAA compliance.

Security Features

Key Rotation and Changes

Joyent recommends that users rotate or change access keys and certificates on a regular basis to prevent unauthorized access and provide additional security.

Additional Information

Our goal is to work with you to deliver a secure cloud computing platform. Below are a some key highlights regarding security practices on Triton:

  • L2 Isolations – Triton users may access separated VLANs providing true Layer 2 separation.
  • Firewalls – Triton users may deploy a wide variety of commercial grade proprietary and open source firewalls including Brocade vWAF (Layer 7 application firewall), IPFilter, SmoothWall (Linux-based firewall), IPTables, and others.
  • Data Encryption – Triton deploys local storage for high speed and high reliability. There are no limitations on a customer’s ability to encrypt data.
  • VPNs – Customers wishing to securely access layers of their application tiers not accessible to the public via encrypted means may deploy either SSL or IPSec VPNs. These VPNs can also be used to construct DMZs as needed.
  • Containers: Triton uses Containers to isolate compute instances.
    • A container can only see its own network traffic
    • Disk storage is accessed via the ZFS file system and never via raw devices.
    • Each Container enjoys its own file system and cannot see other file systems in the virtual multi-tenant environment. Upon deletion of a Container, the file system is deleted and there is no device path to retrace the contents of that Container.
    • Users have no access to raw memory devices and cannot scan system memory. As such, there is no code path to “break out” of a hypervisor and impact other users.

Questions Regarding Compliance?

Questions regarding compliance may be directed to: compliance@joyent.com.

Security Issues?

Check and report security issues here