The ExtraHop Security Operations Framework

ExtraHop is committed to protecting our customers and honoring the trust you've placed in us by allowing our people, products, and services into your environment.

Along with the following security programs and certifications, we've developed a comprehensive security operations framework based on ISO 27001 (the current gold standard for information security management systems) that guides our policies, processes, and procedures across the board. You can learn more about that framework in our Security, Privacy, and Trust overview.

Assurance Programs

SOC 2 Certification


An SOC 2 report is a third party audit of a company's processing controls when it comes to consumer data. Customers and other interested parties use these reports to make sure a vendor is handling their data securely, and to better assess any remaining risks.

ExtraHop annually engages with a third party for a SOC 2 compliance audit for ExtraHop Addy, our cloud-hosted machine learning service. This report covers security controls including (but not limited to) firewalls, audit logs, and access controls.

Back to the Top

Privacy Programs

GDPR Certification


The General Data Protection Regulation (GDPR), a set of laws intended to improve personal data security and usage transparency for European citizens, goes into effect in May 2018. As all organizations handling personal data from the EU must comply with GDPR guidelines, ExtraHop is actively working on verifying that our security framework meets GDPR standards as well as documenting the ways in which we are able to support our European customers in their own compliance.

U.S. Privacy Shield Certification

U.S. Privacy Shield

The U.S. Privacy Shield Framework is a replacement for the U.S. Safe Harbor Framework, which itself was a collaborative solution designed by the U.S. Department of Commerce and the European Commission in order to help U.S. companies comply with the EU's soon-to-be-defunct Directive on Data Protection.

The new Privacy Shield Framework offers a way for U.S. companies to comply with the General Data Protection Regulation (GDPR) which will go into effect in the EU in May 2018. Only through annual self-certification and third party assessment can U.S. organizations transfer personal data from the EU or Switzerland to the United States.

As a U.S.-based company active in the EU, ExtraHop joined the U.S. Privacy Shield program in 2018 and confirmed that our security controls are in compliance with framework requirements. You can verify our current standing on the U.S. Privacy Shield Framework website.

Back to the Top

Vulnerability Management

Penetration Tests

Penetration tests are deliberate attempts to exploit infrastructure vulnerabilities so organizations can a.) verify that their existing security controls are effective, and b.) identify any potential vulnerabilities that still need to be addressed.

ExtraHop undergoes regular penetration tests conducted by our internal security team as well as by independent third parties. We also perform security testing before each release.

Network Scanning

Network vulnerability scans are internal and external scans of an organization's network environment, used to identify potential vulnerabilities in websites, applications, and information technology infrastructures.

ExtraHop performs regular network scans and compiles detailed reports on known and emerging vulnerabilities.

Back to the Top

Secure Development Practices

Our Process, Your Security

We develop our appliances and software services according to the following Secure Development Lifecycle:

  1. Design. ExtraHop uses threat modeling and secure design techniques from day one
  2. Construction. We build our software using modern tools with secure functions enabled.
  3. Test. All components are subject to security testing.
  4. Vulnerability Response. Our commitment to customer security doesn't end when software ships. If issues are found, ExtraHop issues updates.

Internal Security Monitoring

ExtraHop On ExtraHop

It should come as little surprise that our internal teams use ExtraHop to maintain great visibility into our own networks, allowing our IT and security teams to identify potentially malicious activity just as our customers do.

Back to the Top