Data collection and storage

Suggest Edits

CAST AI takes the confidentiality and integrity of its customer data very seriously and strives to ensure that data is protected from unauthorized access and is available when needed. A specialized third-party vendor audits CAST AI three times a year.

CAST AI holds the following certifications:

  • ISO 27001
  • SOC 2 Type II

Data security: a quick recap

No sensitive information leaves your cluster! CAST AI cannot access sensitive user data such as K8s Secrets or K8s ConfigMaps.

Before initiating the cluster analysis process, the CAST AI agent removes (from the workload manifest) environment variables considered sensitive by their names:

  • passwords,
  • tokens,
  • keys,
  • secrets.

The agent cannot see the contents of your business data on disks or access them in any way. The most sensitive information that will be collected will be workload names.

📘

The data delivered to the CAST AI Analytics Platform does not contain any data including Personally Identifiable Information (PII), Payment Card Industry (PCI) Data or Health Care Data (HIPAA).

Customer data protection

CAST AI stores customer data on Google Cloud Platform (GCP) in the us-east4 (North Virginia) region by default.

Encryption

All production data at rest is stored on encrypted disks and enforced by CSP's encryption policy by default. All in-flight data is encrypted with a minimum of TLS 1.2.

Authentication

CAST AI does not store user login data at all. Emails, passwords, and SSO IDs are hosted by a third-party authentication provider, Auth0 (Okta).

CAST AI does not store user API tokens, only hash for validation.

Data retention

Customer Kubernetes meta-data shall be retained for a minimum of 10 years. Customer data belonging to inactive customer accounts are marked accordingly but never deleted.

Example of data collected by CAST AI

Metadata for nodes (extract)

labels:
  addon.gke.io/node-local-dns-ds-ready: "true"
  beta.kubernetes.io/arch: "amd64"
  beta.kubernetes.io/instance-type: "e2-custom-4-16896"
  beta.kubernetes.io/os: "linux"
  cloud.google.com/gke-boot-disk: "pd-standard"
  cloud.google.com/gke-container-runtime: "docker2"
  cloud.google.com/gke-cpu-scaling-level: "2"
  cloud.google.com/gke-max-pods-per-node: "110"
  cloud.google.com/gke-netd-ready: "true"
  cloud.google.com/gke-os-distribution: "cos"
  failure-domain.beta.kubernetes.io/region: "us-east4"
  failure-domain.beta.kubernetes.io/zone: "us-east4-b"
  iam.gke.io/gke-metadata-server-enabled: "true"
  kubernetes.io/arch: "amd64"
  kubernetes.io/hostname: "gke-dev-master-cast-pool-c19ff18f"
  kubernetes.io/os: "linux"
  node.kubernetes.io/instance-type: "e2-custom-4-16896"
  node.kubernetes.io/masq-agent-ds-ready: "true"
  projectcalico.org/ds-ready: "true"

Metadata for pod replica (extract)

▾ metadata:
  name: "dashboard-metrics-scraper-c45b7869d"
  namespace: "kubernetes-dashboard"
  resourceVersion: "637593368"
  generation: 1
  creation Timestamp: "2022-08-16T12:10:33Z"
  ► labels: { ... }
  ► annotations: { ... }
  ► ownerReferences: { ... }
▾ spec:
  replicas: 1
  ▾ selector:
    ▾ matchLabels:
      k8s-app: "dashboard-metrics-scraper"
      pod-template-hash: "c45b7869d"
▾ template:
  ▾ metadata:
    creation Timestamp: null
  ▾ labels:
    k8s-app: "dashboard-metrics-scraper"
    pod-template-hash: "dashboard-metrics-scraper"

To learn more about our security policies and compliance, head over to the security portal.

Updated 5 months ago

What’s Next

Explore other security aspects of the CAST AI platform.