General Questions

What data is ingested into the Backtrace IO application and why?

  1. Application Debug Symbols - This is required to classify and analyze incoming crash reports & data for the purposes of grouping and rendering them useful to developers.
  2. Application Crash Data - Backtrace captures crash data and minidumps so that engineers and support personnel can query against it and build workflows from that.

How is data protected?

By default data is protected by using TLS protocols to ensure data security during transmission.

Backtrace also offers encryption at rest using 256-bit AES. The private key is not accessible from user-space and the password is never stored in plain-text anywhere. Only key management personnel have access to the password, which is protected with PGP. This is an Enterprise feature.

What is the security review and approval for the development process prior to release?

All changes to the Backtrace code are reviewed by several team members and are scrutinized for correctness, performance, and security.  These changes then go through regression and integration testing for validation before being published.

Is a security incident response plan formalized?

We are in the process of documenting our internal security incident response plan following the guidelines of NIST 800-61, Revision 2.

Can data be modified to obscure or remove protected information from minidumps?

Backtrace provides several facilities for scrubbing data of personally identifiable information (PII). There are mechanisms for both native UNIX core dump formats as well as the minidump format used by Windows, Breakpad and Crashpad.

Data scrubbers provide administrators the ability to remove sensitive data from minidump files submitted to Backtrace before they are committed to disk. Data contained in the dump such as register values, memory and crash attributes is scanned for patterns that may be indicative of personally identifiable information. Note that the data scrubbers will not remove binary data. 

pmodules  allow ptrace  users to develop plug-ins that perform analysis and scrubbing of core dumps client side, before they are submitted to the Backtrace servers.

Administrators can also configure dump and metadata retention policies that will allow data to be removed after a defined period of time.

Data scrubbing, pmodules, and configurable retention policies are Enterprise level features.

Do you have a clearly defined step in your software development process for security review and approval prior to production release?

All changes to code are reviewed by several team members and are scrutinized for correctness, performance and security.  Any regressions or new features require integration tests to validate against these.

Can SSO or LDAP be enabled?

Both SSO and LDAP integration are available as Enterprise features.

Is Backtrace GDPR compliant?

See https://help.backtrace.io/pricing-data-protection-privacy-and-terms/data-protection/gdpr-and-what-it-means-for-backtrace-customers

Questions About Backtrace Hosted Service

What platform does the hosted service run on?

Hosted services currently run on Linode or Packet, depending on the class of account. The web-based user interface has static assets such as Javascript files and images hosted on the Fastly CDN.

How is secure physical access assured to the data processing facilities where data will be stored, processed or transmitted?

Linode as a company is PCI Data Security Standard (PCI DSS) compliant, which has been validated by an authorized independent Qualified Security Assessor.  You can find more information here.

Packet.net has various standards depending on the datacenter selected.  See here for details on the security offerings of the various data centers

How long does Backtrace store data for?

Unless otherwise engaged in a non-standard contract Backtrace will hold crash data (e.g. minidumps) for 90 days and metadata for 365 days.

Do you share data with any other 3rd party?

Backtrace does not share any data with 3rd parties, but does make use of MixPanel to track activity for purposes of improving the product. None of this data includes any information about the contents of the customer data.  MixPanel is only used to track utilization of features.

Did this answer your question?