Trust Center FAQ
Does Elastic use its own products?
Elastic is an enthusiastic customer zero for all of our solutions — particularly Elastic Security. We’re committed to providing you with products and services that have been tested in a real production environment before they’re distributed broadly. We use our products everywhere we can — and for more than just logs. Elastic’s InfoSec team uses Elasticsearch Platform features to create, monitor, detect, and respond to security events daily.
Does Elastic have an information security management system?
Elastic formally adopted an information security management system (ISMS) that’s certified on ISO 27001 — including ISO 27017 and ISO 27018. Our Information Security Governance Policy serves as the backbone for all information security policies, standards, and guidelines. Our ISMS includes comprehensive appropriate technical and organizational measures designed to protect your cluster data against unauthorized access, modification, or deletion.
What logical controls are in place to protect customer data?
We have established access controls to authenticate the identity of individuals accessing systems that process our customer's cluster data. We designed these controls to help ensure that unauthorized users don’t gain access to such systems, and that authorized individuals gain access only to what’s appropriate for their role. Such controls include, but aren’t limited to, multi-factor authentication, password strength standards, and virtual private networks (VPN) for administrative access. We've also implemented centralized logging, including proxy logs, access logs, Elasticsearch logs, and Auditbeat logs, to record access to customer cluster data and the systems on which it resides.
What physical and environmental controls are in place to protect customer data?
Elastic Cloud search-powered solutions are hosted on certified cloud platforms managed by industry-leading infrastructure-as-a-service (IaaS) providers, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. Elastic reviews the security certifications and practices of our sub-processors to ensure that there are appropriate physical security measures in force at the premises where Elastic Cloud data will be processed and stored.
Where does Elastic publicly publish vulnerabilities affecting our products?
An Elastic Security Advisory (ESA) is a notice from Elastic to its users informing them of security issues with Elastic products. Elastic assigns both a CVE and an ESA identifier to each advisory and provides a summary and remediation and mitigation details. We announce all new advisories in the Security Announcements forum, and you can track them via an RSS feed.
How can the security community report potential product vulnerabilities to Elastic?
Elastic appreciates our partnership with the security community and shares the goal of keeping our users — and the internet— safe. Please report potential security vulnerabilities affecting any of Elastic's products, the Elastic Cloud Service, or the elastic.co website via our HackerOne bug bounty program. For detailed scope and rules of engagement, please refer to our HackerOne program policy.
Under the principles of Coordinated Vulnerability Disclosure, Elastic analyzes potential security vulnerabilities to identify any recommended mitigations or product updates and coordinates disclosures via Elastic Security Advisories (ESA) and the CVE program. Please don’t post or share any information about potential vulnerabilities in any public forum until we’ve researched and responded to the issue.
How can I report a potential security concern?
Users and customers may report any other potential security issues to firstname.lastname@example.org. You can use this address for security-related product inquiries or requests about other security topics that aren’t explicitly mentioned here. (We can accept only security issues at this address.) You should direct bug reports to the bug database of the corresponding project or to Elastic Support. If you’d like to encrypt your message to us, please use our PGP key. The fingerprint is:
1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2
The key is available via keyservers. Search for 'email@example.com'. Example on OpenPGP
How can customers protect their Elastic accounts?
At Elastic, we know that security is everyone's responsibility. That's why we bake security into product development and into the foundation of Elastic Cloud.
The security and privacy of your Elastic Cloud data also relies on you keeping your Elasticsearch cluster configured securely and maintaining the confidentiality of your Elastic Cloud login credentials.
Here's a quick checklist to help:
- Don't share your credentials with others.
- Update your account profile to make sure the information is correct and current.
- Add operational contacts as appropriate.
- Ensure that you've set secure passwords.
- Use caution when enabling custom plugins on your Elastic Cloud deployments.
- Consider setting the option to require index names when initiating destructive actions.
If you need to make changes that aren’t available in the Elastic Cloud console, please create an Elastic Support case. If you believe an account was compromised, email firstname.lastname@example.org. And if you need to make an erasure request, contact Elastic’s Data Privacy team here.
Is Elastic Cloud data encrypted at rest and in transit?
Yes, the data is encrypted at rest through AES-256 and in transit via TLS 1.2.
How does Elastic review its third-party vendors?
We carefully assess each of our vendors to ensure they meet Elastic’s security and compliance standards. Elastic partners with major IaaS providers to deliver the Elastic Cloud. Each regularly undergoes independent third-party audits, including SOC 2 audit and ISO 27001 certification at a minimum, to demonstrate the security of their services. We then review these audit reports and certifications as part of our third-party risk management program.
Elastic also reviews third-party code and publishes listings of Elastic products’ third-party, open-source dependencies.
Are penetration tests performed against the product?
Third parties perform application and network penetration tests against Elastic Cloud annually at a minimum. Please work with your account representative or contact the Elastic security team for a copy of the test executive summary.
Do you have a software development framework?
We maintain a secure software development framework (SSDF) based on NIST 800-218 and follow security best practices in design and architecture to produce software that is “secure by design” and “secure by default.” Our SSDF guides the process to securely design, develop, deploy, track, and maintain all Elastic software. It also includes requirements to protect our build systems and mitigate the risks of build chain compromise.
How can I perform tests against Elastic products?
We understand that your data is invaluable and may be subject to many privacy laws and regulations. Take a look at our data privacy FAQs to learn how Elastic prioritizes and approaches privacy.
Who owns the data that customers put into Elastic Cloud?
The data that you entrust with us remains yours. We only use your data for the purposes specified in your agreement, such as delivering you the service for which you pay. We implement stringent security measures to safeguard your data and provide you with tools and features to control your data on your terms.
How does Elastic use customer data in Elastic Cloud?
We process your Elastic Cloud data to fulfill our contractual obligation to deliver our services.
- Customer data is your data. We only process your data according to your agreement.
- We never sell your data to third parties.
- We’re committed to transparency, compliance with regulations including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and privacy best practices.
- Prioritizing your privacy means protecting the data you trust us with. Security and privacy are primary design criteria for all of our products.
How can I be sure customer data in Elastic Cloud is secure?
We understand our significant responsibility to deliver leading search experiences while protecting your data, and we work diligently to earn your trust. From board oversight and executive governance at the top of the organization to how we onboard and continuously train every Elastician, security is critical in everything we do. We’ve obtained an extensive suite of industry-leading compliance audits and certifications for the Elastic Cloud service and our Information Security Management System (ISMS). These audits and certifications prove that effective security practices are inherent in all of our activities, including product development and deployment, vulnerability management, incident management, and threat-handling processes.
Where does Elastic store customer data in Elastic Cloud?
Can Elastic access customer data?
Elastic doesn’t have access to the data within your self-managed deployments. To provide our Elastic Cloud offering, a limited number of Elastic employees have privileged access to our production environment. We maintain this access solely for platform management, maintenance, and support purposes.
Elastic adheres to the principle of least privilege when provisioning access to internal users. Elastic employees are only granted the level of access that’s necessary for their job roles. We regularly review access rights and modify permissions in the event of a job change or other circumstances where a user’s access is no longer needed.
Our Information Security Threat Detection and Response team has also developed and implemented detections for suspicious internal account activity and unauthorized access, including file integrity monitoring and account takeover indicators. These detections are part of automated workflows that alert the Threat Detection and Response team about suspicious activity and trigger analyst investigation.
Elastic products also feature role-based access controls to enable our customers to implement fine-grained access management for users within their Elastic deployments and the Elastic Cloud management platform.
Is customer data transferred to sub-processors?
Yes, we use certain infrastructure and customer support sub-processors to provide services to our customers. The sub-processors relevant to you will ultimately depend on which data center location, services, and functionalities you choose to use. (View lists of our external or internal subprocessors.)
When we transfer your data across national borders, we do so in compliance with applicable law. We’ve implemented appropriate safeguards to help protect your data whenever it’s processed by our sub-processors, including entering into data processing agreements and approved transfer mechanisms (such as the SCCs) as well as implementing supplementary measures. We have robust processes to review the privacy and security controls for all sub-processors that have access to customer personal data.
Can I use Elastic Cloud in compliance with GDPR?
Elastic Cloud features support compliance with GDPR and other global data protection laws:
- We prioritize the security of your personal data through effective default technical and organizational measures, which undergo regular testing and validation.
- We offer a GDPR-compliant Data Processing Addendum, helping you to fulfill your GDPR contractual obligations.
- You have control over which Cloud Service Provider will host your data stored in Elastic Cloud, and the ability to select your Elastic Cloud deployment region.
- We offer comprehensive resources to help you adhere to the specific requirements relevant to your processing activities. For more information on how to ensure your Elastic deployments are GDPR compliant, visit https://www.elastic.co/gdpr.
In addition to these features, Elastic maintains dedicated privacy and security teams. These teams oversee our compliance with GDPR and other applicable privacy laws while processing personal data on behalf of our customers.
How does Elastic legalize transfers of customer personal data in Elastic Cloud outside of the EEA, Switzerland, and the UK?
Elastic is a global company and we may transfer data originating from the EEA, Switzerland, or the UK to Elastic's non-European affiliates, as well as to those third-party organizations that are necessary to provide our services. (You can find these locations in the section regarding sub-processors above.) In such cases, we rely on the SCCs, including the controller-processor or processor-processor module (as applicable) with our customers and the processor-processor module with our sub-processors, in addition to robust supplementary measures.
How does Elastic protect customer personal data in Elastic Cloud after Schrems II?
We’re dedicated to helping you ensure compliance with global laws and regulations. In light of the European Data Protection Board's (EDPB) guidance following the Schrems II ruling, we have thoroughly examined our practices to ensure international data transfers meet data protection requirements:
- Elastic’s data transfers don’t fall within the typical focus of US surveillance law and, to date, we have never received requests from public authorities for customer data, including under laws like FISA, EO12333, or the CLOUD Act.
- If we were to receive a request from a public authority for customer data, we have policies and processes for managing those requests which include protocols for challenging the request, notifying relevant parties, and seeking waivers from prohibitions on notification.
- We provide robust supplementary measures to protect your data which include data encryption both during transit and at rest to ensure the confidentiality and integrity of your data throughout its journey.
- Elastic Cloud customers have the option to select EU servers for hosting to best meet their data sovereignty needs. Backups are also configured in the same region you select for your deployment.
- The Standard Contractual Clauses can be utilized to safeguard data transfers. This includes situations where customers opt for US hosting or engage with our US entity, and for transfers from Elastic to our sub-processors.
- We continually assess and develop our contractual, technical, and organizational safeguards to protect data transfers.
What supplementary measures does Elastic have in place for Elastic Cloud?
We offer several supplementary measures to ensure that your data remains protected in Elastic Cloud. We’re committed to limiting the processing of customer data as much as is feasible in the provision of our services. We’ve built processes, organizational structures, and technical measures throughout our company to ensure we meet — or exceed — global privacy principles.
Elastic contractually commits to appropriate data protection and privacy measures under our Data Processing Addendum, which includes the SCCs, and our Information Security Addendum. We regularly review and update our Data Processing Addendum to reflect applicable data privacy requirements, including the following provisions:
- Processing of personal data is only carried out on your instructions.
- We only host your data in the region that you select.
- All personnel authorized to process personal data are subject to stringent confidentiality policies, procedures, and agreements.
- You may retrieve, correct, or delete any personal data that you upload to Elastic Cloud at any time.
- We’ll notify you in the event that we receive a disclosure request for your data, unless legally prohibited.
- Our sub-processors are subject to the same stringent standards and organizational requirements. We’re liable for the acts and omissions of our sub-processors to the same extent as if we performed the services ourselves.
We design our products to help you protect your organization’s data, comply with global regulations, and cultivate trust. We implement industry-leading security standards:
- Encryption on transfer and at rest: Elastic implements encryption key management procedures and encrypts customer data in transit and at rest using a minimum of AES-128 bit ciphers.
- Regular system updates and patches: To help reduce the likelihood of vulnerability-related incidents, Elasticsearch instances are deployed based on the latest operating system kernels, subject to appropriate patches whenever a Common Vulnerability and Exposure is discovered in any component software.
- Use of industry-leading service providers: Elastic's services are hosted on data centers maintained by industry-leading service providers, which offer state-of-the-art technical and organizational security measures designed to protect the data they host.
- Access controls: Elastic maintains technical, logical, and administrative controls designed to limit access to data to authorized users, including multi-factor authentication processes. Additionally, Elastic implements centralized logging, including proxy logs, access logs, Elasticsearch logs, and Auditbeat logs, to record access to customer data and the systems on which it resides.
We’ve implemented robust organizational structures company-wide, demonstrating our unwavering commitment to meeting and exceeding global privacy principles:
- Security and privacy programs: We maintain comprehensive information security and data privacy programs that include appropriate measures designed to protect your data.
- Public Authority Access Request Policy: We have policies and processes for managing any requests for access to personal data made by public authorities, which include protocols for challenging such requests, notifying relevant parties, and seeking waivers from prohibitions on notification.
- Other internal policies: We maintain internal policies governing the use of and access to personal data, which ensure the proper management of data breaches, data subject access requests, data retention, and access control policies.
- Industry standards: Elastic has formally adopted an Information Security Program that’s compliant with ISO 27001, including ISO 27017 and ISO 27018. Our Elastic Information Security Governance Policy serves as the backbone for all information security policies, standards, and guidelines. And an independent third party has audited and certified Elastic Cloud services under SOC 2 Type 2.
- Regular testing: We undertake periodic network and application vulnerability testing and implement procedures to document and address vulnerabilities discovered during vulnerability and penetration tests.
- Employee training: We require all employees to complete information security and data protection training upon hire and then once a year at a minimum.
Does Elastic publish a transparency report?
As noted above, Elastic has never received a request from a public authority to disclose customer data. If we ever receive such a request, we’ll begin publishing transparency reports.
How can I obtain further information on Elastic’s data collection practices?
For more information on how Elastic collects and uses personal data, please refer to our privacy notices below:
We’re committed to adhering to global privacy regulations, including GDPR and CCPA. To submit a data subject request, contact Elastic’s Data Privacy team here.
Which compliance frameworks is Elastic compliant with?
Elastic Cloud is compliant with ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, CSA CCM 4.0, PCI-DSS, HIPAA, and other industry frameworks, like TISAX. To learn more, navigate to our Compliance page.
Do you have a corporate ethics and compliance program?
We're committed to the highest ethical standards and are dedicated to complying with all applicable laws and safeguarding all data entrusted to us. Please visit our Ethics and Corporate Compliance page for additional details, including our Code of Business Conduct and Ethics, Vendor Code of Conduct, and Whistleblowing policies.
Are Elastic products subject to export limitations?
Elastic is a technology company, and we’re committed to conducting our business with honesty and integrity and in full compliance with US laws and regulations that restrict exports and govern international business activities, including trade sanctions, export control, and boycott laws and regulations. Our clients and prospects often ask for the ECCN assigned to our products. In general, all our paid products are classified under ECCN 5D002.c.1 and eligible for exports under License Exception ENC according to Section 740.17 (b)(1) of the Export Administration Regulations.
A current, detailed list of product ECCNs is available here. This information may change as we develop new products or add new features so always refer to the latest ECCN chart published by Elastic. We also encourage you to consult your export counsel to determine how this information affects your export transactions or use of Elastic products.
Where is Elastic Cloud available?
Elastic Cloud is available across major cloud service providers globally. Spin up deployments on Elastic Cloud in any of the regions we support across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Check out our most current listing here.
Where can I see current and historical Elastic Cloud uptime?
Please visit the Elastic Cloud Status page to view uptime information.