We know your data is extremely important to you and your business, and we're very protective of it. After all, Humio's data is hosted on Humio, too!
Need to report a security vulnerability?
Please email email@example.com to submit a vulnerability report.
- Data center access limited to data center technicians and approved Humio staff
- Entry via electronic access control terminals with a transponder key or admission card
- Video-monitored high-security perimeter fencing around the entire data center park
- Ultra-modern surveillance cameras for 24/7 monitoring of access routes, entrances, security door interlocking systems and server rooms
- Physical security audited by an independent firm
- System installation using patched OS
- Dedicated firewall and VPN services to help block unauthorized system access
- Distributed Denial of Service (DDoS) mitigation services powered by industry-leading solutions
- Our primary data center provider regularly audited by independent firms against DIN ISO/IEC 27001 for information security management system
- All Humio systems access logged and tracked for auditing purposes
We employ a team of server specialists at Humio to keep our software and its dependencies up to date eliminating potential security vulnerabilities. We employ monitoring solutions for preventing and eliminating attacks to the site.
All private data exchanged with Humio is always transmitted over SSL (which is why your dashboards are served over HTTPS, for instance). All transport of data is done over HTTPS using your Humio credentials.
Humio user credentials are authenticated using a thirdy party IdP of your choise (GitHub or Google), and we do not store any passwords. All users are virtual and have no user account on our machines.
File system and backups
Every log entry we receive is saved on a minimum of three different servers, including an off-site backup. We do not retroactively remove repositories from backups when deleted by the user, as we may need to restore the repository for the user if it was removed accidentally.
We do not encrypt repositories on disk because it would not be any more secure: the website and time series back-end would need to decrypt the repositories on demand, slowing down response times. Any operator with shell access to the file system would have access to the decryption routine, thus negating any security it provides. We do encrypt our backups though.
No Humio employees ever access customer data spaces unless required to for support reasons. Staff working directly in the file store access the compressed Humio database, your data is never present as plaintext files. Support staff may sign into your account to access settings related to your support issue. Support staff does not have direct access to your data spaces, they will need to temporarily attach their user identity to your data space to interact with your data, which will show up in your audit logs. When working a support issue we do our best to respect your privacy as much as possible, we only access the data needed to resolve your issue.
We protect your login from brute force attacks with rate limiting. We do not store any passwords, as we only support login with 3rd party IdP's. Login information is always sent over SSL.
Our 3rd party IdP's allow you to use two-factor authentication, or 2FA, as an additional security measure when accessing your Humio account. Enabling 2FA adds security to your account by requiring both your password as well as access to a security code on your phone to access your account.
We also maintain relationships with reputable security firms to perform regular penetration tests and ongoing audits of Humio and its code.
We're extremely concerned and active about security, but we're aware that many companies are not comfortable hosting logs outside their firewall. For these companies we offer Humio Self-hosted, a version of Humio that can be installed to a server within the company's network.
Have a question, concern, or comment about Humio security? Please contact firstname.lastname@example.org.