Fivetran, SOC2 Type 2 and you

An in-depth discussion of Fivetran’s SOC 2 Type 2 compliance and Powered By Fivetran (PBF).
September 16, 2021

The following is a guest post by Josh Hall, Full Stack Analytics Engineer at Untitled, a systems integrator that regularly uses Fivetran to solve their clients' problems. Learn more here.

As the modern data stack (MDS) and cloud technologies more generally grow in popularity, privacy and security regarding cloud tools is also a growing concern. Traditionally, data teams owned the configuration and security protocols surrounding their data processes, giving full assurance that they were in compliance with the necessary standards. Data teams using cloud technologies have much less ability to configure all of the security settings of the tools being used in the MDS, and have to rely on tool providers to secure their products.

However, not all MDS tool providers care about security as much as others. Fivetran commits to security and keeps your data safe by adhering to industry leading standards.

Fivetran security & SOC 2 Type 2 overview

Fivetran is designed holistically to guarantee security across the entire product by leveraging established standards and protocols to assure premier security controls. By incorporating these rigorous controls, Fivetran commits to providing a robust and secure platform that gives customers peace of mind about the security of their data. This enables customers to focus on core business activities and not security.

Fivetran commits to maintaining compliance with industry security standards, to ensure the privacy of customers' data. Among these standards are ISO 27001, PCI DSS, EU 94/95 privacy rules, GDPR, and most notably, SOC 2 Type 2.

So, what is SOC 2, and what does Type 2 mean? At a high level, SOC 2 is an audit procedure performed by a third party that verifies that the organization is securely managing the data it handles in order to protect the privacy of customers or clients. These audits apply to any type of technology service provider or SaaS company that handles or stores customer data. Type 2 refers to the length of time over which the audit was conducted. Specifically, Type 2 audits are performed to provide evidence of sustained security controls at the organization over a minimum six-month period of time. On the other hand, a Type 1 report performs the same type of audit but only in reference to a specific point in time. SOC 2 compliance is critical to ensuring that your data is being handled in a verifiably secure manner by a cloud technology provider or MDS tool.

For Fivetran, SOC 2 compliance means that customers can be assured that the proper security safeguards are in place for the infrastructure, tools, and processes that handle and store data. This starts with the principle of least privilege within the Fivetran system. This means that a system or user only has access to the necessary privileges to complete a task and nothing more. This prevents systems from allowing a broad range of access that could pose a security threat or expose sensitive data if the wrong person gained access.

Fivetran also ensures that data is encrypted at rest and while in motion. In other words, if data is obtained by an unauthorized party, it will be unintelligible. On top of this, Fivetran prevents accidental exposure by deleting data that passes through a pipeline after it arrives at its destination. Each connector only keeps the information necessary to continue providing and maintaining each pipeline. An example of this is the metadata regarding configuration details about columns and tables for a specific Fivetran connector.

Fivetran ensures security by never storing customer data that isn’t needed, removing data after handling, and in the process of handling data, protecting it in every way possible. Through this process, Fivetran leads the industry in data integration platform security and meets all your data security requirements through continued compliance with industry standards.

Security with powered by Fivetran (PBF)

If you haven’t heard, Fivetran offers an incredibly robust solution called Powered by Fivetran (PBF). This solution aims to reduce time for building analytics products by seamlessly allowing end users to authenticate their credentials directly in Fivetran. This puts the power of 150+ connectors into the hands of your customers without your company ever having to store or touch the credentials.

How can PBF be as secure as the standard Fivetran offering if users are authenticating credentials on their own? The actual data pipelining process is not different from the standard Fivetran solution. Data is obtained from the source and encrypted. It passes through a secure pipeline and is pushed through to a destination where it is encrypted at rest. The data that passed through the pipeline is then deleted, thus removing the concern of accidental exposure.

The major difference between the standard Fivetran offering and PBF is users authenticate their own credentials, but those credentials are NOT stored within your company or the Fivetran account. Instead, Fivetran uses a secure HTTPS connection to handle the authentication process.

HTTPS is the primary protocol used to encrypt data sent from a web browser over the internet. When a user authenticates their credentials through PBF, Fivetran encrypts the credentials and then, instead of storing them in the Fivetran account where the connector will exist, stores the credentials in their internal system. This keeps the credentials stored within a SOC 2 compliant provider and keeps them from being accessed by the Fivetran account where the credentials were authenticated.

In summary: focus on analysis, let us handle security

Many organizations are hesitant to migrate to cloud based technology. While the concerns may be legitimate, understanding the compliance standards of the tools and resources being considered can put to rest many of those concerns. SOC 2 is an industry standard - when the Untitled team rapidly deploys a modern data stack for a customer, we always consider providers who meet these compliance standards. That’s why we always choose Fivetran or PBF. Fivetran makes it easy to not only integrate your data sources, but also know that your data is being handled in a safe and compliant manner.

When you’re ready to stop configuring Fivetran connectors and ready to focus on building better data products, let your customers authenticate pipelines for you by leveraging Powered by Fivetran. To learn more about PBF, visit the PBF home page. To view Fivetrans security whitepaper detailing their commitment to security, visit their resources page.

Start for free

Join the thousands of companies using Fivetran to centralize and transform their data.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.