Corporate information security policies and procedures #

Starburst takes many steps to ensure your data is safe with us.

Roles and responsibilities #

The information security team at Starburst is responsible for implementing and maintaining organization-wide information security policies, remediating security incidents, and managing risk at an appropriate level for the Starburst organization. The team reports directly to the Vice President of Engineering.

Privacy policy #

Starburst is committed to protecting the privacy of individuals who visit Starburst sites and individuals and companies that register to use or purchase our software or services.

Under certain circumstances, you have rights under international regulations and data protection laws in relation to your personal data. Contact us to exercise any of your rights.

Details are available in our privacy policy.

Terms of service and license agreements #

The following terms of service and end user license agreement (EULA) documents are available:

Compliance - System and Organization Controls (SOC) 2 Type 1 #

Risk management #

Starburst conducts annual risk assessments and manages a risk register, which is reviewed regularly. A risk management program is in place to identify and prioritize risks, and ensure appropriate application of resources to minimize any negative impact.

Change management and change control #

Starburst applies a systematic approach to managing change so that changes to services impacting Starburst and our customers are reviewed, tested, approved, and well communicated. Change management processes are in place to ensure changes are tailored to the specifics of each environment. The goal of Starburst’s change management processes is to prevent unintended service and business disruptions and to maintain the integrity of services provided to customers. All changes deployed to production undergo a review, testing, and approval process.

Incident response #

Starburst requires the identification of and response to suspected or known security incidents; mitigation, to the extent practical, of harmful effects from security incidents that are known or suspected; and documentation of these incidents and their outcomes.

An incident response program is in place and roles and responsibilities are defined for all functions to ensure impact is minimal and cost and downtime is limited to the furthest extent possible. Regular tabletop exercises are conducted.

Access control #

Access to confidential data is granted on a need-to-know basis, and only the minimum level of access required to satisfy business needs is granted.

Malware management and antivirus #

Crowdstrike is utilized to protect Starburst hardware from legitimate and potential intrusion attempts. The Starburst IT group manages the Crowdstrike tool, and ensures updates are pushed regularly, to minimize malware risk.

Multi-factor authentication and remote access #

Okta is used as our single sign-on provider for all business applications that support SAML. This allows us to enforce Starburst’s password policy for all of our business applications and two-factor-authentication when logging into Okta and Okta-managed applications.

Security awareness #

Information security training is delivered to all employees during their employment at Starburst upon hire and at least annually thereafter.

Vendor management #

Starburst requires that all vendors are assessed for their overall security posture.

Vulnerability reporting and disclosure #

If you believe you have discovered a vulnerability in a Starburst product, or have a security incident to report, contact us.

Once we have received a vulnerability report, Starburst takes a series of steps to address the issue:

  • Starburst requests the reporter keep any communication regarding the vulnerability confidential.
  • Starburst investigates and verifies the vulnerability.
  • Starburst addresses the vulnerability and releases an update or patch to the software. If for some reason this cannot be done quickly or at all, Starburst provides information on recommended mitigations.
  • Starburst publicly announces the vulnerability in the release notes of the update. Release notes can include a reference to the person/people who reported the vulnerability, unless the reporter(s) prefers to stay anonymous.
  • Starburst endeavors to keep the reporter apprised of every step in this process as it occurs.

We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services, and better protect our customers.

All information provided is taken into account in our software development, security, and vulnerability management processes.