Table of Contents

Sonar's Security Strategies

Read Time: 8 mins

Security is a Top Priority

At Sonar, trust is woven into the fabric of everything we do. We're driven to build and provide a platform for our ISPs that also keeps their data safe and private. We deploy industry-leading safeguards, and continuously monitor our systems, so our customers can rest easy knowing their data is protected 24/7 in the cloud.

Security in the Cloud

Sonar leverages the power and security of Microsoft Azure, DigitalOcean, and Amazon Web Services to keep client data secure, confidential, and private in the cloud.

Our cloud service platforms meet a broad set of international and industry-specific compliance standards, such as the General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. Rigorous third-party audits verify their adherence to the strict security controls these standards mandate.

Data is stored in state-of-the-art regional data centers, designed to protect mission-critical systems with fully redundant subsystems and compartmentalized security zones. Our cloud data centers adhere to the strictest physical security measures including multiple layers of authentication for server area access, two-factor biometric authentication for critical areas, camera surveillance systems at key internal and external entry points, and 24/7 monitoring by dedicated security personnel.

Data Security - Industry Standard Encryption and Secure Connections

Sonar's data is transmitted to and from our servers over HTTPS and is encrypted in transit (TLS) using AES 256-bit encryption. At rest, our data is stored and encrypted using AES 256-bit encryption. All communications use SSL encryption, and our data is stored in SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data centers.

Network Security - Intrusion Detection and Prevention

Our networks are protected by firewalls configured to follow industry best practices for network ingress/egress security. Extended Detection and Response (XDR) monitoring of security vulnerabilities and threats protects against malware, brute-force attacks, SQL injections, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, worms, and botnets.

Sonar has established detailed operating procedures, security policies, and processes designed to: ensure the safety of all Sonar employees, suppliers, partners, and customers; control the quality of, and maintain the integrity of, all Sonar information systems and services; and provide continuous availability and optimized performance.

Access Controls and Data Governance

Built into the core of Sonar’s platform are module-based user roles and granular-access permissions, providing three levels of data governance:

  • User roles - represent a collection of permissions attributed to general categories of individuals, defining which actions can be performed by these groups.
  • Permissions - can be enabled or disabled within a role, and are part of an overall module.
  • Modules - each module interacts directly with a portion of your Sonar instance

Sonar is actively working towards both ISO 27001 and ISO 27003 certification. Our commitment to privacy and security are centred around protecting your data, preventing external threats, empowering your individual rights, and the transparency enumerated by the GDPR (General Data Protection Regulation).

Our Shared Security Partnership

Because Sonar connects to technology that you are responsible for maintaining, security becomes a shared responsibility between Sonar and you.

Application Data Shared by Looker

Sonar utilizes a number of first and third-party tools in order to provide and improve the service.

Product usage - A third-party service (Pendo) that gathers data to help us understand customer usage, where our customers perceive the most value, and what areas drive the most impact. This data is analyzed and used to improve the Sonar product.

Configuration backups - A Sonar service that encrypts backups of system configurations, encrypted user and database credentials, and Sonar user settings. For redundancy, configuration backups are stored in multiple cloud providers.

System error reports - A Sonar service that transmits runtime exceptions to Sonar internal systems in order for our technicians to diagnose issues with the product.

Support access - A Sonar service that allows Sonar technicians to troubleshoot problems by permitting authentication into a customer’s Sonar instance.

Email notifications - A Sonar service that transmits emails in order to provide new account welcome emails, forgotten password reset links, etc.

In-app guides and in-product messaging - A third-party service (Pendo) that delivers personalized messages to users to help them more easily use the Sonar product. This service collects basic pseudonymized usage data in order to personalize messages and guides.

NOTE: We regularly review both our internal services and third-party service providers to ensure that the data we collect is aligned with the service’s intent and that the security measures employed meet our high-security standards.

Sonar’s Responsibilities

Cloud security - Sonar uses major, well-established, cloud hosting providers to reinforce our security program with additional security and availability operational controls. 

Product security - Sonar is responsible for ensuring that the code quality for our application is developed according to industry-wide best practices for software development, and is regularly tested for vulnerabilities. 

Corporate security - Sonar is responsible for educating and disseminating security best practices throughout the organization, and ensuring that our applications, systems, and networks are securely configured and monitored. 

Your Responsibilities

Cloud Security

You are responsible for configuring secure access between the Sonar application and your database. Sonar can provide recommendations on how to:

  • Enabling secure database access using tools like IP whitelisting, SSL/TLS encryption, and SSH tunneling
  • Setting up the most locked-down database account permissions for your instance

Product security

You are also responsible for controlling access and permissions for users of your Sonar instance within your company. Sonar recommends:

  • Setting up user authentication using either a native username/password option
  • Setting up the most restrictive user permissions and content access that still allow people to carry out their work, paying special attention to who has admin privileges
  • Setting up any API usage in a secure way

Cloud Security Architecture

Sonar leverages the power and security of Microsoft Azure, DigitalOcean, and Amazon Web Services to keep client data secure, confidential, and private in the cloud. Sonar customers also have the added advantage of Sonar’s own security best practices. In addition, Sonar also uses industry best practices for the development and testing of our application, ensuring that our code quality meets our standards before becoming part of a Sonar release.

Cloud Infrastructure

Public cloud facilities - Sonar is managed in public cloud data centers. These facilities implement numerous physical and environmental controls to ensure that our customer data is well protected from possible theft or loss. 

Data security architecture - Sonar follows best practices for security architecture. Proxy servers secure access to the Sonar application by providing a single point to filter attacks through IP blacklisting and connection rate limiting. 

Redundancy - Sonar employs a cloud-based distributed backup framework for Sonar-hosted customer servers. 

Availability and durability - The Looker application can be hosted in a variety of different public cloud data centers worldwide.

Monitoring & Authentication

Access to a customer’s back-end servers - Access to a Sonar-hosted back-end environment requires approval and multiple layers of authentication.

Access to a customer’s Sonar application - Employee access to customer Sonar instances is provided in order to support a customer's needs. Access requires approval and multiple layers of authentication. 

Monitored user access - Access to your Sonar environment is uniquely identified, logged, and monitored. 

Network and application vulnerability scanning - Sonar’s front-end application and back-end infrastructure are scanned for known security vulnerabilities. 

Centralized logging - Logs across the Sonar production environment are collected and stored centrally for monitoring and alerting on possible security events. 

Reputation monitoring/threat intelligence - Collected logs and network activity are checked against commercial threat intelligence feeds for potential risks. 

Anomaly detection - Anomalous activity, like unexpected authentication activity, triggers alarms. 

Data Security Encryption

AES encryption - Locally-stored sensitive application data is encrypted and secured using AES 256-bit encryption. 

TLS encryption - Data in transit is encrypted and secured from the user's browser to the application via TLS 1.2. 

Product security

Code development - Our code is developed using a documented system development lifecycle process

Peer review and unit testing of code - Our code is peer-reviewed before being committed to the master code branch of the Sonar application. Sonar also performs automated functional and unit tests.

Code quality tests - Sonar utilizes automated tests specifically targeting injection flaws, input validation, and proper CSRF token usage. 

Penetration testing - Sonar completes regular penetration testing to check for exploitable vulnerabilities, to ensure the integrity of our online defenses.

Corporate Security

Personnel & Third Parties

Security organization - Led by our Cybersecurity Engineer, Sonar has established a dedicated information security function responsible for security and data compliance across the organization. 

Policies and procedures - Sonar has implemented a wide range of security policies that are maintained, communicated, and approved by Leadership to ensure everyone clearly knows their security responsibilities. 

Background checks - All new Sonar employees are required to pass a background check.

Security awareness education - All Sonar new hires complete security training as part of their onboarding with the company. Employees receive routine security awareness training and confirm adherence to Sonar security policies. Employees are reminded of security best practices through informal and formal communications.

Incident response

On-call - Sonar’s Security and DevOps team is available 24/7 to respond to security alerts and events. 

Policies and procedures - Sonar maintains a comprehensive and documented Incident Response Plan. 

Incident response training - Sonar employees are trained on security incident response processes, including communication channels and escalation paths.

How did we do?

Sonar and General Data Protection Regulation (GDPR)

Technical Security Overview