Tigera’s Calico Cloud is built with security in mind and includes features engineered to keep customer information safe. Calico Cloud is designed to support the needs of our customers for security, compliance, and privacy. This page is a resource for our customers who would like to better understand how Calico Cloud both meets and help ensure compliance with data protection laws and regulations across the United States, Asia, and Europe.
Data Accessibility and Security
Calico Cloud is certified with Cloud Security Alliance and you can download the report from here (Tigera Inc | Cloud Security Alliance). We have end-to-end encryption for data in transit and customer information is encrypted at rest. Calico Cloud supports RBAC and Token based authentication
Privacy and Compliance
Calico Cloud is SOC 2, CCPA, GDPR compliant. Our payment processing system is PCI compliant. Further, we perform yearly PEN test to ensure compliance and the report is available to customers upon request
Infrastructure Security & Resiliency
Built for the cloud, Calico Cloud leverages the most sophisticated cloud security technologies available. The result is a service that is secure and resilient, giving organizations the confidence to enable their Kubernetes security and observability with Tigera
Vulnerability Management
If you believe that you have identified a vulnerability in Calico Cloud, Calico Enterprise, or Project Calico, please submit a vulnerability report at psirt@tigera.io. Reports may be submitted anonymously. All reports should include the following information:
- Description
- Steps to reproduce
- Security risk assessment (low, medium, high)
- Potential impact
- Recommendations (if any)
- Any other supporting technical information
Upon receiving a vulnerability report, Tigera will take the following steps:
- Investigate and confirm the vulnerability
- Respond to you, letting you know whether we are able to confirm the vulnerability and what our assessment of the severity is
- Address the vulnerability through a security patch or develop a workaround for mitigating the risk
- If appropriate, announce the vulnerability publicly through a technical advisory, announcements in online user groups and/or release notes of the patch release.
We appreciate the efforts of security researchers who discover and share security information with us. Thank you for your cooperation and collaboration with us.
