rough-intern-3494701/31/2022, 9:15 AM
Hello, We are currently qualifying Pulumi as our Infrastrucutre management tool, but we have some Information security concerns that we'd like to clear up. Our product is classified as a *Medical device* and therefore needs to conform to a high security standard, especially regarding PII. We saw this section on your website, and we would like to have a bit more information about it: > The Pulumi Service is reliable, secure, and has undergone multiple audits, including SOC2 and professional pen-testing. Because of the client/server division of responsibilities — notably that the server doesn't have direct access to your cloud credentials, runtime data, or PII — the Pulumi Service has been used in organizations with advanced compliance needs, including PCI, ISO 27001, HIPAA, and more. If you'd like to discuss any of these topics, please contact us. (copied from <https://www.pulumi.com/docs/intro/concepts/state/>) The T&C (<https://www.pulumi.com/terms-and-conditions/>) and PP (<https://www.pulumi.com/privacy/>) pages on your website didn't provide enough information, so we would just like to clear some things up: 1. Can you provide any evidence about information security? What do you have in place to make sure our data is safe? There is no written policy on the website. 2. Can you provide more details about the your SOC2 certification? 3. Exactly what kind of data does Pulumi have access to? Be very specific please. 4. What is the operational impact of Pulumi being unavailable? Our product currently operates in EU, and it will be available in the US, as well as Globally. These are the standards we currently implement (and possibly there will be more): - ISO 13485 - ISO/IEC 27001 - NEN 7510 Thanks in advance, SkinVision Team
great-sunset-35501/31/2022, 9:21 AM
rough-intern-3494701/31/2022, 9:24 AM
great-sunset-35501/31/2022, 9:30 AM
for these questions
rough-intern-3494701/31/2022, 9:33 AM
as well, thanks! I’ll post their response here
witty-candle-6600701/31/2022, 2:58 PM
and will follow up.
rough-intern-3494701/31/2022, 2:59 PM
1. Exactly what kind of data does Pulumi have access to? Pulumi stores metadata about your infrastructure so that it can manage your cloud resources. This metadata is called state. Pulumi state does not include your cloud credentials. Credentials are kept local to your client — wherever the CLI runs — even when using the managed Pulumi Service backend. Pulumi does store configuration and secrets, but encrypts those secrets using your chosen encryption provider. 2. Can you provide any evidence about information security? I have attached a copy of a white paper that provides additional detail on the security of our SaaS 3. Can you provide more details about the your SOC2 certification? The Pulumi SaaS is SOC II Type 2 certified, the entire report can be shared under NDA. 4. No provision on confidentiality is in the regular T&C only in the Professional Services Agreement. Will the Professional Services Agreement be applicable to us? Unless we enter into a professional services engagement this is not usually 5. Is somewhere in the terms stated that we will be informed in case of changes to general terms and conditions or use of product/services? This is covered in Section 14 of the terms & conditions <https://www.pulumi.com/terms-and-conditions/> 6. What is the operational impact of Pulumi being unavailable? Would we be unable to still do deployment? In the event that you loose access to the Pulumi service you would be unable to access the Pulumi console or to access changes made by other users. You would still be able to make changes to your cloud infrastructure by accessing them directly.