Cribl values customer trust above all else. We are committed to keeping customer data safe and secure, and have built all Cribl products and services from the ground up with security, compliance, and user privacy as top priorities. We want to be transparent with how we’re following industry compliance standards and data protection laws and regulations, and hope this page gives our customers peace of mind when choosing and using Crib’s suite of products. So please, peruse this information to your heart’s content, and if you have any additional questions around privacy and security, please contact us.
At Cribl, we strive for security by design. With the security approaches Cribl takes, including access management, risk management, and security governance, our customers are able to gain more control, more flexibility, and more confidence when using Cribl products and services.
Our product security program aligns with best practices from the National Institute of Standards and Technology (NIST). Cribl provides developers with training that reinforces secure development and architecture practices, to promote pragmatic security in the development process.
Cribl has dedicated engineers focused on product security. They apply a secure development lifecycle that includes:
Cribl information security professionals receive continuous training and certifications from reputable organizations such as Information Systems Security Certification Consortium, Inc. (ISC2), and Offensive Security. Additionally, our practitioners maintain relationships with security interest groups such as the Open Web Application Security Project (OWASP) and Information System Security Association (ISSA).
Please contact email@example.com to get in touch with our product security group.
We align our compliance with continuous risk management to better secure our operational environment, products, services, and — by extension — you and your data. Cribl is currently expanding, and will always expand, our portfolio of Security and Compliance Reports as our customers request them. Reports are available to all customers and prospects under NDA.
Cribl complies with SOC 2 requirements for its Cloud Products and related organizational controls. Cribl received its first SOC 2 Type II attestation report in April 2022 for its initial observation period ending December 31, 2021, and is continuing with annual audits. SOC 2 ensures compliance with worldwide industry standards for data security, and instills confidence in enterprises using Cribl in their observability and cybersecurity environments.
SOC 2 standards are established by the American Institute of Certified Public Accountants (AICPA), and address security controls such as organization and management, monitoring of controls, communications, risk management, and more. The Type II evaluation is a rigorous security verification process focused on systems related to security, availability, processing integrity, confidentiality, and privacy of data. This means that brand manufacturers using Cribl’s suite of products to collect, enrich, distribute, and search their observability and cybersecurity data can feel confident in the secure design and operating effectiveness of Cribl.
We require a mutual non-disclosure agreement (MNDA) before sharing access to our SOC 2 Report and our most recent Penetration Test. Customers may request the MNDA or our security documentation by emailing firstname.lastname@example.org.
For our Canadian subsidiary, our Privacy Officer is the fabulous and limitless Chell Mendiola, who can be contacted at email@example.com.
Subject to applicable law and regulations, individuals may have rights involving their own Personal Data. Any User may exercise their rights by contacting Cribl’s Privacy Team at firstname.lastname@example.org.
Cribl gives customers choice with how they want to deploy Cribl Products—Cloud, Hybrid, and On-Premises. Our customers’ specific industry requirements often drive which product(s) they should select. To help you decide, we’ve put together this quick explanation of what it means to work with Cribl.
Where Oh Where Does My Data Go
Cribl offers two main deployment options to our customers:
Cribl products include:
With an on-premises deployment of Cribl Stream or Edge, the customer remains in complete control over their data. The customer not only controls who has access to the product, internally and externally, but also all of their data from end to end, ingest to output. At our Enterprise and Standard license levels, customers with on-premises deployments are able to turn off anonymized telemetry data from being sent back to Cribl. That telemetry data provides us information on the Product’s functioning, but does not transmit any customer data processed there.
Cribl is able to support customers in healthcare, financial services, and government fields when Cribl Products are deployed on premises because such products are considered Commercial Off The Shelf (COTS) products that allow customers to use internal controls required in those heavily regulated data infrastructures. Indeed, a customer with an on-premises deployment would need to affirmatively send us sensitive information to cause a disclosure.
Cloud and Hybrid Deployments
For our subscription Cribl.Cloud deployments, Cribl.Cloud offers a cloud-based service for dedicated Stream, Edge, and Search environments, so customers can get up and running quickly. Cribl takes care of the infrastructure management and scaling, making this the fastest and easiest way to realize the value of Cribl Products.
Cribl.Cloud is hosted in AWS, meaning there are AWS safeguards and certifications in place; details here. Every Cribl.Cloud account is provisioned in a standalone AWS account, providing full isolation of data and control. This architecture ensures that no sensitive data can be accessed without the correct access controls.
Cribl.Cloud is also SOC 2 Type II certified, and we follow best practices as part of our operations. Cribl’s compliance with SOC 2 security standards, along with the penetration testing and other security activities that Cribl performs, provide assurances that information stored or processed in Cribl.Cloud is secure.
Cribl Site Reliability Engineers (SRE) have access to the Leaders and to Cribl-managed Cloud Workers for management purposes. All SRE activities are audited. Engineers do not have access to hybrid workers, to Edge Fleet nodes, or to customer data as it gets processed through Workers (nor to the S3 buckets that customers use as part of Cribl Search).
When you use Cribl.Cloud in a hybrid deployment, Cribl still offers a Leader node in the Cloud, but some or all of your Worker nodes can be on-premises, on physical or cloud infrastructure that you provide. Because our product features “preview” options on the Leader node to enhance product functionality, data could be viewed from the Leader node by customers. Additionally, when you use Cribl Search, the persistent queuing function could cause information to be viewed from the Leader node. In a full Cloud deployment, some data may be viewable by Cribl customer support through Cribl.Cloud’s processing technologies, with consent from the customer.
Cribl does not yet have specific certifications to demonstrate compliance with security standards for processing certain sensitive data through Cribl.Cloud, including as to sensitive data like personal data, personal health information, payment card information, special categories of personal data protected by applicable laws such as the GDPR, and non-public, personally identifiable consumer financial information.
Customers must only use Cribl Products to process such data only as allowed by applicable law and data protection standards, including the General Data Protection Regulation in the European Union, the California Consumer Privacy Act, the California Privacy Rights Act, Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and the Payment Card Industry Data Security Standards.
Support, Services, Affiliates, and Subprocessors
As a general matter, we have support personnel located globally to provide our subscription services with extended service hours by, taking advantage of our regional presence in each of the time zones. Cribl may provide services through its services personnel or through partners, whichever resource best meets your needs.
Cribl provides support and services remotely and will not generally require access to your physical facilities. Cribl also provides extensive documentation for all of its products. Cribl generally does not perform work-made-for-hire services.
We have agreements in place with all our affiliates, partners, and sub-processors to ensure they provide sufficient protection for your data consistent with applicable privacy and data protection laws. The sub-processors we use are described here.
Do you offer Service Level and Support Commitments?
For our Cloud offerings, we include availability commitments for Cloud Products and response times for support, as we understand and are proud that our products are largely intended for use in your core commercial activities as an organization. These commitments, including our response times and uptime availability targets, are consistent across all customers. We are largely unable to make changes on an individual-customer basis, absent extraordinary circumstances — which are negotiated case by case, and can add length to the contracting process.
Can I request Professional Services?
Absolutely. Cribl can provide work-made-for-hire services, but customized work will be governed by a separately negotiated and executed statement of work (SOW). For more information, read our Services Addendum. In the event you request any professional services, Cribl can work with you to craft a SOW.
Where does my data go in Stream on Cribl.Cloud?
What about my authentication data in Stream on Cribl.Cloud?
Authentication data – things like secrets and passwords, authentication methods, etc. – are stored on disk in the encrypted Cribl secret store. This data can be removed through Cribl’s UI or over API.
The TL;DR is that Cribl’s cookie settings track user access across our website properties, but we do not track a user once they leave our website. For a more detailed explanation, Cribl may use Personal Data about visitors to the Sites to monitor performance, access, usage, and security of the Sites and the Platform, including as follows:
A cookie is a delicious small sweet food, typically round and flat and has a crisp or chewy texture. Some argue the chocolate chip cookie is the best type of cookie. A cookie is also a tiny element of data that the website can send to your browser, which may then be stored on your computer or mobile device so we can recognize you when you return.
Cribl respects consumer privacy. Depending on your state of residence, you may be entitled to certain information regarding the data that Cribl collects.
For California consumers
Under the California Consumer Privacy Act and other laws and regulations, consumers in California have a right to: (1) know about the use, including sharing, of the personal data Cribl collects about them; (2) access the personal data Cribl has collected; (3) request deletion of their personal data, with some exceptions; and (4) the right to opt out of the sale of their personal data. Cribl does not sell the personal data of any users or consumers.
For Virginia consumers
Under the Virginia Consumer Data Protection Act and other laws and regulations, consumers in Virginia have a right to: (1) confirm whether Cribl is processing their personal data; (2) access the personal data that Cribl collects about them, (3) correct inaccuracies in their personal data (considering the nature of that data and purpose of its processing), (4) request deletion of personal data provided by or obtained about the consumer; (5) obtain their personal data in a portable and readily usable format where the processing is carried out by automated means; and (6) opt out of targeted advertising, sale of their personal data, and profiling when that profiling produces significant or legal effects concerning the consumer. Cribl does not sell the personal data of any users or consumers.
For Colorado consumers
Under the Colorado Privacy Act and other laws and regulations, consumers in Colorado have a right to: (1) confirm whether Cribl is processing their personal data; (2) access the personal data that Cribl collects about them; (3) correct inaccuracies in their personal data (considering the nature of that data and purpose of its processing); (4) request deletion of their personal data; (5) obtain their personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance; and (6) opt out of targeted advertising, the sale of personal data, and profiling when that profiling produces significant or legal effects concerning the consumer. Cribl does not sell the personal data of any users or consumers.
For Individuals in the UK/EEA
Under the UK and EU General Data Protection Regulation, individuals in those countries have certain rights relating their personal data, subject to local data protection laws. Depending on the applicable laws, these rights include:
Exercising These Rights
For any of the above consumers who wish to exercise their privacy rights, please email us at privacy@Cribl.io and include the following:
Because we respect your privacy, we ask that you not include uploads of government issued photo identification for these purposes, any additional verification will be specifically requested, if needed. Should we be unable to take the action requested, you will be entitled to further information regarding why the requested action could not be taken.
Cribl does not discriminate in response to privacy requests.
Cribl’s legal work is inspired by Cribl’s core value of Customers First, Always, so we work hard to ensure that our customers, partners, and vendors have a best-in-class experience with Cribl. Cribl’s focus on our customers is reflected in our standard terms of service. Using plain language and terms that are fair to both Cribl and our customers, Cribl’s standard terms of service make contracting with Cribl as simple and as fast as possible.
What are Cribl’s standard terms of service?
Our standard terms are specifically tailored to Cribl Products, and they address purchases of all Cribl Products. Cribl Products are offered via term licenses provided on a subscription basis so we do not offer perpetual licenses.
During the purchase process, the vast majority of our customers are presented with a Cribl quote detailing the commercial terms of the subscription, including subscription length and associated fees. The quote generally indicates that the purchase is subject to Cribl’s standard terms, unless a custom agreement is executed between the parties.
Does Cribl accept changes to its standard terms or enter into custom sales agreements?
Cribl will consider changes to its standard terms and enter into custom agreements with customers for contracts greater than $50,000 per year. Cribl is not able to accept changes to its standard terms for contracts below $50,000 per year, including temporary license agreements for proof-of-value demonstrations.
Cribl is committed to being a partner that our customers can trust to do what we say we are going to do. We cannot accept changes to our standard terms or enter into custom agreements with customers who contravene Cribl’s business practices, or who jeopardize our ability to perform under our contracts or to protect our Products. Like most enterprise software companies, we cannot scale our business if we have custom requirements for each of our customers.
Can I buy Cribl products through channel partners?
Yes, you can buy Cribl Products through any of our authorized channel partners. Many of our customers have long-standing relationships with channel partners. As a result, Cribl has been intentional about cultivating and educating established channel partners about our products and offerings. In the event you acquire Cribl Products through an authorized channel partner (i.e., a reseller, distributor, or managed service provider), the channel partner will flow down Cribl’s standard terms to govern the use of Cribl Products, and you may see our standard terms through a clickthrough agreement; however, all payment-related terms will be independently negotiated and set forth in the applicable agreement between you and your channel partner. Any financial agreements you enter into with a channel partner will be between you and the channel partner and shall not be binding upon Cribl except as acknowledged by us in our quote to the reseller or distributor.
Does Cribl offer termination for convenience?
Because of our commitment to your satisfaction and happiness, the answer is Yes. Cribl wants to help our customers with existing subscription levels, enriching their data, and making effective use of their data flows. We are proud to put you first, and if we are not the solution for you, you can terminate your subscription with 30 days’ notice.
Does Cribl offer refunds for early termination?
Yes, if you purchase under our standard terms and you terminate for convenience before the end of your current subscription term, Cribl will provide you a prorated refund of any unused amounts you pre-paid for the current term. However, Cribl cannot refund Cribl Credits, Cribl Product Credits, Service Credits, or other prior payments made related to Cloud Products. This is because (1) we recognize sales revenue in compliance with generally accepted accounting principles (GAAP), and (2) our Cloud Products are provided up front and the discounts offered for those purchases are based on the customer’s purchase at the rates negotiated.
How is liability structured in Cribl’s standard terms?
Cribl is able to offer its competitive pricing based on assurances provided relating to the use of our Products relating to respecting the rights of third parties, adherence to applicable laws, and are limited to the value of the contract. Any changes to our liability exposure may result in the necessity of a proportional change to the pricing model we are able to offer.
Does Cribl provide indemnity for intellectual property infringement claims?
Yes, Cribl offers indemnity for intellectual property infringement claims in its standard terms.
What governing law and venue does Cribl offer?
For U.S. customers, our standard terms are subject to the laws and venue of the State of California, but we may also agree to Delaware and New York. For our international customers, we can agree to the law of England and Wales. We find that the precedent and case law regarding business disputes is ample within these jurisdictions, and the courts are competent to hear sophisticated matters.
What insurance does Cribl carry?
Since Cribl does not provide any on-site services, it maintains adequate insurance coverage as required by law or regulation, with insurance policies that cover Cyber Liability, Worker’s Compensation, and Commercial Crime. Upon written request, Cribl can provide Certificates of Insurance evidencing its insurance coverages.
What are Cribl’s compliance requirements?
Cribl is an American company and is committed to compliance with all applicable export controls and sanctions laws as detailed in our Compliance Addendum which is a part of our standard terms. Additionally, for those we source from, we have certain requirements that we expect our suppliers and vendors to adhere to that are also detailed in that addendum.
Does Cribl sign Business Associate Agreements under HIPAA?
Cribl does not sign Business Associate Agreements (“BAAs”) or other similar contract addenda because Cribl is not a “Business Associate” as that term is defined under the Health Insurance Portability and Accountability Act (“HIPAA”). Cribl Products are not intended for the transmission, storing, or otherwise processing of personal health information (“PHI”). We consider incidental disclosures of PHI as falling outside the scope of HIPAA.
To learn more about legal, visit the Cribl Legal page.
Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises.
The Cribl product security team acknowledges the valuable role that honest, independent security researchers and bug reporters play in the overall security of connected systems. As a result, we encourage the responsible reporting of any vulnerability that may be present in our applications and services. Cribl is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.
For these reasons, Cribl provides a responsible disclosure program for all of its products and services. The program is governed by the Responsible Disclosure Addendum and these terms. Please review both before you test or report a vulnerability to Cribl. We will provide a safe harbor to security researchers as long as they adhere to program requirements and are acting in good faith.
If you have details of a suspected vulnerability, please reach out to the Cribl product security team by sending an email to email@example.com. You can use our PGP Key to encrypt the email.
PGP Fingerprint: 93BCCB5500D176D131D06C41892C4E60AA85BA2B
Our public key is available here: https://cribl.io/.well-known/cribl_security_pgp.asc
If you feel your account may have been compromised, do not hesitate to contact the Cribl support team at https://cribl.io/support/.
If you have a fraud, abuse, or misconduct concern you wish to report, you can submit it one of three ways:
We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:
Cribl encourages the responsible and ethical discovery and reporting of vulnerabilities. The following conduct is expressly prohibited:
All parts of our applications and services available to customers are in scope and are our primary interest. Please have a look below for out of scope targets.
Cribl uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. The following third-party systems are excluded: