Security & Privacy
Trust
Since inception, protecting the security and privacy of customer data has been a top priority for ThousandEyes. Our customers trust us to collect and store information about performance of networks and applications they use. Depending on the deployment scenario and specific customer use cases, this could include information from the Internet that constitutes public domain knowledge and/or information from private enterprise networks. As such, we treat all data collected as highly sensitive and have implemented a management system to ensure its confidentiality, integrity, availability, and privacy.
We start with a solid management foundation through adoption of the widely recognized and respected ISO/IEC 27001 standard for our information security management system. Our privacy information management system is based on and certified by ISO 27701.
Jointly these frameworks form a ThousandEyes Unified Security and Privacy Management Framework (USPMF) that is supported by strict policies, standards, technologies and processes. We continually improve our USPMF by implementing additional technical and organizational controls to ensure customer data is always protected with best current practices.
As a cloud service provider, ThousandEyes shares the responsibility for security and privacy with its customers. Review the information below to understand your role in the implementation of security controls and operational activities.
Bug Bounty Program
ThousandEyes is committed to providing strong levels of security assurance for our customers, partners, and community. The Cisco ThousandEyes vulnerability rewards program is part of our overall security strategy, encouraging external researchers to collaborate with our security team to help keep our platform safe.
If you believe you have discovered a vulnerability in one of ThousandEyes’ products, services, websites, or other infrastructure, or to report a suspected abuse issue, please submit your finding to bugcrowd.com/thousandeyes-og. Upon receipt of your inquiry, Bugcrowd will work with the ThousandEyes security team to triage and respond to your request. We ask for your cooperation on any disclosure surrounding the issue and working responsibly with us to protect our customers, partners, and community.
Information Security
Organization of Information Security
Information Security organization at ThousandEyes is headed by the Chief Information Security Officer. His team oversees all aspects of data protection: business, physical, and technical security and privacy. This also includes audit and compliance, as well as overall risk management.
Human Resources Security
We believe information security starts with people and it's not enough to merely secure physical systems. Hence, we invest in security awareness and training for all our employees so that they are equipped with the knowledge to support our security and privacy management systems from day one.
Asset and Risk Management
All information is classified in terms of its confidentiality within a three-level data classification scheme, and we require specific security controls to be implemented accordingly. Risk assessments are required to be performed on each critical information asset to verify if existing controls meet defined criteria. All customer information is classified as confidential by default and as a result, will always require the highest level of protection.
Access Control
Access to information is granted on a need-to-know basis and controlled through a managed process that addresses authorization for new access, timely access revocation when required and periodic review of access lists to critical information.
Cryptography
All crypto controls at ThousandEyes adhere to international legal regulations and restrictions and require strong key management procedures.
Physical and Environmental Security
Both data center and office space are equipped with access control and video surveillance systems with 24x7 security onsite. To be accepted by ThousandEyes, data centers must meet Tier III requirements.
Operations Security
All networks, systems and applications are securely configured, implemented and backed-up to ensure that they operate as intended. Anti-malware is deployed on all critical customer-facing systems.
Communications Security
All communication resources at ThousandEyes are used in a manner that is consistent with our ethical and business principals and have implemented relevant controls such as use of cryptography for sensitive data transmission.
System Acquisition, Development and Maintenance
Examples of our controls include penetration testing and code review as vital steps in the approval process. Furthermore, our secure software development lifecycle design and deployment methodologies are continually being enhanced to keep up with current best practices and stay ahead of the latest threats.
Third Party Services
When contracted third-parties act on our behalf, we require them to meet the same rigorous standards of security and privacy as we meet internally. This due diligence is completed as part of our vendor risk management process, which entails a comprehensive security review of the third-party organization as well as their service offering or product.
Security Monitoring and Incident Management
We constantly monitor our network, systems and applications to detect various types of events. No surprise, our own cloud monitoring solution monitors itself and other components of our technology infrastructure. When a critical event is registered, incident response plan immediately kicks in.
Privacy
The Cisco Online Privacy Statement and this summary apply to Cisco's websites and our affiliates' websites that link to the Statement.
Cisco respects and is committed to protecting personal information. Our Privacy Statement reflects current global principles and standards on handling personal information – transparency, fairness, and accountability. Below are some of the highlights of the Cisco Online Privacy Statement. Note, more specific information on how Cisco processes personal information may be found in Privacy Data Sheets, offer descriptions, or other notices provided prior to or at the time of data collection.
Personal information
We collect personal information for a variety of reasons, such as processing your order, provisioning websites and Solutions and enabling their functionality, providing you with a newsletter subscription, sending business and marketing communications, personalizing your experience, or managing job applications.
We will inform you of the purpose for collecting personal information when we collect it from you and keep it to fulfill the purposes for which it was collected or as required by applicable laws or for legitimate purposes.
We may combine the information we collect from you with information obtained from other sources to help us improve its overall accuracy and completeness, and to help us improve and better tailor our interactions and performance with you.
We may also collect information relating to your use of our websites and web-based Solutions through the use of various technologies, including cookies.
Notice and your choices of data use
We will use your personal information for the purpose for which it was collected and will not use it for a different purpose without first asking for your permission or having a legal basis for the use.
We will ask your permission before we share your personal information with third parties for any purpose other than the reason you provided it or as otherwise stated in our Online Privacy Statement.
For more information on your choices about how Cisco may process your personal information or regarding our use of cookies or other web technologies, see our full Online Privacy Statement.
Data access and integrity
To update your personal information and communication preference, click here or visit the specific product or service web site.
Data security
We are committed to protecting your personal information against unauthorized use or disclosure.
Onward transfer
As a global company, we may transfer your personal information to Cisco in the United States, to any Cisco subsidiary worldwide or to third parties acting on our behalf located outside of the country where the data is collected where data protection standards may be different.
We do not transfer your personal information to third parties unless those third parties promise to give the information at least the equivalent level of protection that we provide.
Important information
Our personal data protection and privacy policies and practices are designed to comply with applicable laws around the world and to earn and maintain your trust in Cisco.
Cisco is certified under the APEC Cross Border Privacy Rules system and Privacy Recognition for Processors regarding personal data handling and transfers to/from the APEC member economies. For more information on the scope of our participation, or to submit a privacy inquiry through BBB National Programs, our Accountability Agent, please click on the official seal below:
Cisco’s Binding Corporate Rules – Controller (BCR-C) provide that transfers made by Cisco as a controller worldwide of European personal information benefit from adequate safeguards.
Cisco is also certified and adheres to the EU-US and Swiss-US Privacy Shield frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and processing of personal data from the EU/EEA, the UK, and Switzerland.
Should you have questions, comments or concerns related to this Privacy Statement or the treatment of your personal information, please click here.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge).
References
To find out more about our privacy practices, see the full version of the Cisco Online Privacy Statement.
Last updated: December 1, 2021
Compliance
There are a number of laws and regulations that ThousandEyes and our employees comply with:
We have implemented a two step approach to compliance. First, we ensure that all external and internal requirements are embedded within our policies and supported by underlying standards, technologies and processes. Second, through internal risk assessments and audits, we regularly test to ensure that all security controls are implemented properly and operating effectively.
We use an independent third party to perform AT Section 101 attestation that produces a SOC2 Type II report for the Security principle covering a 12 months period. Also, the Information Security Management System supporting our network performance management software as a service application received ISO/IEC 27001:2013 and ISO/IEC 27018:2019 certificates from an independent certification body. In addition, our Privacy Information Management System supporting our network performance management software as a service application has received the ISO/IEC 27701:2019 certificate from an independent certification body. Finally, an independent third party performs a yearly enterprise risk assessment on our critical information resources.
ThousandEyes is a corporate member of Cloud Security Alliance, where we share information and collaborate with other industry leading companies in order to maintain the highest level of security best practices. ThousandEyes is also a member of the Center for Internet Security, a forward-thinking non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.