Secure Data Analytics with Sigma
Sigma sits atop your existing cloud database and uses a secure connection to query your data warehouse directly. Sigma writes a query to access the data needed to answer your question and returns the result in the browser.
Sigma provides a single point of access for your data, so you can establish robust data governance, keep report sprawl to a minimum, and restrict access to sensitive information. Administrators can set permissions by team and namespace, and restrict data access directly from the database as well.
We built Sigma with security in mind, which is why we included features like immutable hosts, container checking, and threat detection. At Sigma, we make every effort to provide secure data analytics and ensure our platform is protected at every layer of the stack.Contact Us
Ensuring our product meets the robust data security needs of our customers is a top priority at Sigma. We’re continuously releasing and iterating to include the newest security features and stay ahead of the ever-changing and evolving threat landscape. We also work directly with customers with unique security or compliance requirements and add these features as needed.
These are just some of the security features our platform offers customers:
Fine-grained role-based access control
Control which users have access to what information
OAuth for Snowflake
Easy for Sigma to leverage data permissions established in Snowflake
Single sign-on (SSO)
Use SAML, Okta, OneLogin, GSuite, or your favorite iDP
Limit users to seeing only data that’s relevant to them
Traffic between Sigma and the CDW stays on an AWS private connection
Platform and Organizational Security
Sigma invests heavily in having an exceptional security program and ensuring we exceed industry standards. We don’t just buy tools — we make secure data analytics the foundation of everything we do.
Web application firewall
Sigma uses a web application firewall that receives automatic updates to help keep us protected against the latest web application attacks.
Static code analysis
Code is automatically checked for potential vulnerabilities for every commit.
Third-party library vulnerability checking
We check the libraries we use for vulnerabilities and keep them updated at all times.
We check code commits for credentials to ensure they’re not being merged into our code repository.
Every commit into the master branch requires a code review before being merged. Each code review is done by a senior engineer.
Shared responsibility with GCP and AWS
We use cloud providers with extensive data security, compliance, and privacy programs.
Sigma runs its clusters in multi-zone deployments to ensure high availability in case of a data center or network outage.
Our underlying infrastructure is immutable, which means nothing can be installed or changed on these hosts.
Sigma uses the latest cloud security products to check for threats against our infrastructure.
We use rules and machine learning to look for anomalies happening in our cloud infrastructure and spot any potential security threats.
We check our cloud configurations in real time to ensure they are meeting our standards and are always secure.
Encryption in transit (TLS 1.2 Min)
Encryption is enforced between clients and Sigma and all components of the Sigma platform using at least TLS 1.2.
We utilize multiple layers of DDoS protection from leading providers in the industry.
Sigma uses DNSSEC to prevent DNS spoofing / hijacking, and we sign all of our zones including development and production.
Network spoofing is blocked internally and across all instances.
No connectivity between production and office networks
We do not connect our cloud networks to our office networks. We keep them seperate to ensure our office network never affects our production network.
Mobile device management
All Sigma assets are managed assets and enforce our security policies.
Endpoint detection response
We use the latest endpoint security tools in EDR, which go beyond simple anti-virus alerting and allow us to see the details around any potential compromises.
Advanced persistent threat detection
We scan packages for the latest APT indicators and sandbox those packages to ensure they’re not a threat.
We filter DNS for malicious (malware/phishing/etc.) requests that could harm our employees or infrastructure.
Third-party penetration test
Sigma pays for a yearly third-party penetration test, complete with a social engineering/phishing element, by experts in the industry.
Annual security training
We make all employees complete extensive annual security training that covers over 13 different subject areas.
Quarterly phishing tests
We phish our employees regularly to help keep security top of mind and teach them how to easily spot phishing emails.
Data Security, Privacy and Compliance
At Sigma, ensuring we meet the data security, privacy and compliance needs of our customers is core to our business. Meeting and exceeding these standards to help secure data in the cloud is a shared value for all employees within our company. If you have any compliance or privacy questions, please contact us at firstname.lastname@example.org.
Sigma has completed a Health Insurance Portability and Accountability Act (HIPAA) third-party attestation. This assures that Sigma has a HIPAA compliance program with proper controls in place for safeguarding protected health information (PHI). Sigma will sign a Business Associate Agreement (BAA) with our healthcare customers.
SOC 1 Type II
Sigma has completed a SOC 1 Type II report to validate our process and controls around financial reporting. This ensures that our customers can have confidence in Sigma and our platform for many years to come.
SOC 2 Type II
Sigma leverages best practices for security controls as part of our data security program. We work with AICPA-certified, third-party auditors to evaluate our information security system controls.
Sigma maintains an SOC 3 report which is the public report of security controls. It is a summarized version of the SOC 2 report and provides validation that Sigma has completed an independent third-party audit against the AICPA’s Security Trust Principles. You can download the report here.
Cloud Security Alliance (CSA)
Sigma has completed the CSA’s Consensus Assessments Initiative Questionnaire (CAIQ), which provides a set of questions a cloud consumer may wish to ask to ascertain a solution’s compliance to the Cloud Controls Matrix and CSA best practices.
General Data Protection Regulation (GDPR)
At Sigma, we firmly support GDPR in both practice and philosophy. We work with our customers in the European Economic Area to assure compliance with analytics and personal data handling requirements and cross-border transfer requirements under GDPR.
As a processor, we process data on behalf of our customers. We expect that some of our customers will require us to enter into a data processing addendum (“DPA”), per Article 28 of GDPR.
Sigma uses several subprocessors, but the majority of our obligations hinge on our primary subprocessors: Google Cloud Platform and Amazon Web Services. Read more about Google Cloud Platform’s commitment to GDPR here and AWS’ GDPR compliance here. And for a full list of our subprocessors, click here.
California Consumer Privacy Act ( CCPA )
Sigma will support any removal request from any state/country as long as it is valid and made by a qualified party. Have a request? Please email us at email@example.com.
Sigma complies with the EU-US and Swiss-US Privacy Shield frameworks as set forth by the US Department of Commerce with respect to the collection, use, and retention of personal data transferred from the European Union, the United Kingdom, Switzerland, and the United States. Sigma has certified with the Department of Commerce that we adhere to the Privacy Shield principles. For more information about the Privacy Shield program, and to view Sigma’s Privacy Shield certification, please visit https://www.privacyshield.gov/list.
Bug Bounty Program
If you believe you have found a security vulnerability or would like more information about our program, please send an email to firstname.lastname@example.org for an invitation to our private bug bounty program.