Security FAQs
Check out Explo’s Security Trust Center page to get access to our compliance certification reports.
Is data encrypted at rest?
Yes, data is encrypted at rest with AES-256, block-level storage encryption. Amazon manages the keys and individual volume keys are stable for the lifetime of the volume. More information can be found here.
Heroku doesn’t encrypt data at the Postgres level. Sensitive fields, like passwords, are encrypted at the Postgres level by our application using 256 bit + 390k stretch key lengths.
If data is ever sent to S3 for exports, the files are short-lived and encrypted in S3. There is a 7-day object expiration rule applied to the entire S3 bucket.
Is data encrypted in transit?
Yes, the data is encrypted in transit with Mutual TLS or mTLS. Heroku uses mTLS to create a secure and mutually authenticated channel between an external resource and our Heroku Postgres database. More information can be found here.
Heroku uses TLS 1.2 or 1.3, more information can be found here.
How is unauthorized access to code repositories and cloud hosting platforms prevented?
- These platforms can only by accessed by authorized Explo employees.
- Only Explo administrators can add additional employees to these platforms.
- All accounts added to our code repositories and cloud hosting platforms are required to have MFA enabled.
Additional details are listed in our SOC 2 Report.
How are customer database credentials rotated?
Explo is unable to rotate our customer’s database or data warehouse credentials. It is on the customer to rotate the database passwords for Explo’s service user and update those values in the Explo platform. If you’d like to programmatically update these values with an API, please reach out to the Explo team.
How are customer tokens rotated?
Explo recommends you to embed with JWTs and not with the non-expiring customer token.
JWTs are short-lived tokens (the lifetime of the token can be configured) that allow for additional security. The JWT encodes the dashboard or report builder embed_id, the customer object’s provided_id, and the length of time the token should live for.
If you need to use the customer token, please be sure to periodically refresh the token. Explo will not automatically refresh these tokens because this could cause your platform to be out of sync with the Explo platform.
Does Explo have an incident response plan? What are the customer communication protocols?
Yes. We’ve had an incident response plan in place since we got our first audited SOC 2 Report in January 2021. Explo deeply values the importance of privacy and security and that’s why we got our SOC 2 so early as a startup. This plan is revisited every year as part of our yearly SOC 2 Type 2 audit to ensure it is up to date.
If a breach has taken place, all (and likely) impacted customers are notified and communicated with as soon as possible. Our status page will reflect a wider message and a broadcast will be sent to the wider customer fleet with information about the incident, remediation steps, and any additional information.
For more information, please check out our SOC 2 Report.
Do Explo’s API endpoints have a rate limit?
We’ve added a new section about rate limits here.
Security FAQs
Check out Explo’s Security Trust Center page to get access to our compliance certification reports.
Is data encrypted at rest?
Yes, data is encrypted at rest with AES-256, block-level storage encryption. Amazon manages the keys and individual volume keys are stable for the lifetime of the volume. More information can be found here.
Heroku doesn’t encrypt data at the Postgres level. Sensitive fields, like passwords, are encrypted at the Postgres level by our application using 256 bit + 390k stretch key lengths.
If data is ever sent to S3 for exports, the files are short-lived and encrypted in S3. There is a 7-day object expiration rule applied to the entire S3 bucket.
Is data encrypted in transit?
Yes, the data is encrypted in transit with Mutual TLS or mTLS. Heroku uses mTLS to create a secure and mutually authenticated channel between an external resource and our Heroku Postgres database. More information can be found here.
Heroku uses TLS 1.2 or 1.3, more information can be found here.
How is unauthorized access to code repositories and cloud hosting platforms prevented?
- These platforms can only by accessed by authorized Explo employees.
- Only Explo administrators can add additional employees to these platforms.
- All accounts added to our code repositories and cloud hosting platforms are required to have MFA enabled.
Additional details are listed in our SOC 2 Report.
How are customer database credentials rotated?
Explo is unable to rotate our customer’s database or data warehouse credentials. It is on the customer to rotate the database passwords for Explo’s service user and update those values in the Explo platform. If you’d like to programmatically update these values with an API, please reach out to the Explo team.
How are customer tokens rotated?
Explo recommends you to embed with JWTs and not with the non-expiring customer token.
JWTs are short-lived tokens (the lifetime of the token can be configured) that allow for additional security. The JWT encodes the dashboard or report builder embed_id, the customer object’s provided_id, and the length of time the token should live for.
If you need to use the customer token, please be sure to periodically refresh the token. Explo will not automatically refresh these tokens because this could cause your platform to be out of sync with the Explo platform.
Does Explo have an incident response plan? What are the customer communication protocols?
Yes. We’ve had an incident response plan in place since we got our first audited SOC 2 Report in January 2021. Explo deeply values the importance of privacy and security and that’s why we got our SOC 2 so early as a startup. This plan is revisited every year as part of our yearly SOC 2 Type 2 audit to ensure it is up to date.
If a breach has taken place, all (and likely) impacted customers are notified and communicated with as soon as possible. Our status page will reflect a wider message and a broadcast will be sent to the wider customer fleet with information about the incident, remediation steps, and any additional information.
For more information, please check out our SOC 2 Report.
Do Explo’s API endpoints have a rate limit?
We’ve added a new section about rate limits here.