Grafana Labs k6 Security Policy

Legal and Security › Grafana Labs k6 Security Policy

Last updated February 10, 2022.

  1. Introduction. Grafana Labs will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data and Personal Data, including, but not limited to, measures designed to prevent unauthorized access to or disclosure of Customer Data Personal Data

  2. Customer Data and Management. Grafana Labs limits its personnel’s access to Personal Data and Customer Data as follows:

2.1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for cloud infrastructure administrator access and individually-assigned Secure Socket Shell (SSH) keys for external engineer access;

2.2. Limits the Personal Data and Customer Data available to Grafana Labs personnel on a “need to know” basis;

2.3. Restricts access to Grafana Labs’s production environment by Grafana Labs personnel on the basis of business need;

2.4. Encrypts user security credentials for production access; and

  1. Data Encryption. Grafana Labs provides industry-standard encryption for Personal Data and Customer Data in transit.

  2. Network Security, Physical Security and Environmental Control

4.1. Grafana Labs uses firewalls, network access controls and other techniques designed to prevent unauthorized access to systems processing Personal Data and Customer Data.

4.2. Grafana Labs maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Services.

4.3. The Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of Amazon. Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.

  1. Incident Response. Grafana Labs will notify Customer without undue delay after detecting a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Grafana Labs (any such incident, a “Security Breach”). Grafana Labs shall make reasonable efforts to identify the cause of such Security Breach and take those steps as Grafana Labs deems necessary and reasonable in order to remediate the cause of such a Security Breach to the extent the remediation is within Grafana Lab’s reasonable control. The obligations herein shall not apply to a Security Breach caused by Customer or its Users.

  2. Business Continuity Management

6.1. Grafana Labs maintains an appropriate business continuity and disaster recovery plan.

6.2. Grafana Labs maintains processes to ensure failover redundancy with its systems, networks and data storage.

  1. Personnel Management

7.1. Grafana Labs provides training for its personnel who are involved in the processing of the Personal Data and Customer Data to ensure they do not collect, process or use Personal Data or Customer Data without authorization and that they keep Personal Data and Customer Data confidential, including following the termination of any role involving the Personal Data or Customer Data.

7.2. Upon employee termination, whether voluntary or involuntary, Grafana Labs immediately disables all access to Grafana Labs systems, including Grafana Labs’s physical facilities.