Security and Trust at Harness
Harness takes a comprehensive approach to data privacy and security to protect our infrastructure, products and customer data. Our geographically diverse security team is committed to operating and continually enhancing our security and compliance programs.
Security
Availability and Disaster Recovery
We have multi-region architecture in place in a separate geographic locations to ensure the platform and its services can be rapidly scaled up in the event of a disaster to its primary location. This architecture is tested by Harness at least annually to validate the failover procedures and recovery technologies.
We also perform frequent backups of our databases to ensure that data is backed up and can be restored to a point in time in the event of an incident or data corruption. Our Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are 4 and 6 hours respectively.
Personnel Security
We conduct rigorous interviews and background checks to ensure we identify top candidates to join our team. Employees must complete security and privacy training during onboarding and annually.
Secure Software Development
Security is embedded throughout our software development lifecycle. All changes to production must be peer reviewed and approved, automatically tested through continuous integration, scanned for vulnerabilities, and include roll-back procedures prior to deployment.
Vulnerability Management
We perform vulnerability management over our infrastructure and application code. Scans are run at least monthly and adhere to NIST vulnerability remediation timelines.
Incident Response
Our Incident Response program that aligns with both the SANS PICERL and NIST SP 800-61 guides with a dedicated Incident Response team in place to ensure the program follows established internal policies.
Customers are updated on operational incidents through our Status Page and impacted customers are notified without undue delay of any security incidents.
Data Security
Customer Data Protection
Minimal PII is required for us to provide and maintain our services. All Harness customer data is internally classified under the most critical data classification and is therefore the most strictly controlled and secured. We encrypt all data in transit utilizing TLS 1.2+. and data at rest within the Harness platform and our databases is AES-256 encrypted.
Data Isolation
Customer data is never used in our non-production environments which are strictly separated from our production environments and used for development, testing, and staging only.
We logically separate all customer accounts using unique Account IDs.
Identity and Access Management
Harness adheres to RBAC principle, therefore unique user accounts and passwords are assigned to each employee based on least privilege.
Single Sign On (SSO) is enforced for critical business systems and two-factor authentication (2FA) is implemented wherever possible.
System Monitoring
We use software to collect data from system infrastructure and endpoints, monitoring activities such as access, system performance, potential security vulnerabilities, and resource utilization; the information security and operations teams are alerted when unusual system activity or service requests are detected.
