Security

Samsara’s mission is to bring the benefits of sensor data to the organizations that drive our economy and to improve the safety, efficiency, and quality of their operations.

Samsara products are built from the ground up with security and privacy in mind. Given the large amounts of data our system generates, we hold data security to the highest standards. Samsara’s world-class security program centers on the concept of defense in depth: securing our organization, and your organization’s data, at multiple layers. All aspects of Samsara’s service — from its patented-pending technology architecture to built-in security tools for administrators to ongoing monitoring and risk mitigation—are designed for security and reliability by seasoned industry experts with extensive experience building secure technology systems.

Highlights
  • arrow icon TLS 1.2 protocols, AES256 encryption
  • arrow icon Always protected with over the air patches
  • arrow icon Validated by 3rd party audits
  • arrow icon Robust end-user security tools
  • arrow icon Redundant hosted software service

Security in Depth

  • Hardened Cloud Infrastructure

    Samsara’s cloud-hosted infrastructure is designed and managed in alignment with the best practices of multiple IT security standards. Samsara’s underlying infrastructure leverages Amazon AWS, which is ISO 27001 and SOC 1 Type II certified, and is rated as the leader in cloud security by research firm Forrester.

    Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services.

    ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.

    Samsara is built on a secure multi-tenant cloud architecture with logical data separation. Customer data is logically separated across distributed databases with required authentication checks for every application-layer and data-layer access made to any tenant's data. The logical separation ensures that data is always associated with exactly one customer, and required authentication checks at the application and data layers ensure that data is completely isolated by customer and accounts provisioned for that customer.

    Samsara employs a Virtual Private Cloud to provide resource isolation and minimize attack surface area. Samsara services are protected by IP- and port-based firewalls. Administrative access to Samsara’s infrastructure is highly restricted, and verified by public key (RSA). Distributed Denial of Service (DDoS) attacks are mitigated with elastic load balancing and highly available DNS services.

    When a storage device containing customer data has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) are used to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

  • Encryption

    Data in Transit
    All data transmitted between Samsara clients and the Samsara service is done so using strong encryption protocols. Samsara supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and signatures, whenever supported by the clients.

    Data at Rest
    Data at rest in Samsara’s production network is encrypted using FIPS 140-2 compliant encryption standards, which applies to data at rest within Samsara’s systems—relational databases, file stores, backups, etc. All encryption keys are stored in an industry standard, secure system based on AWS’s Key Management Service. Samsara has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

  • SOC 2® Reporting

    The Service and Organization Controls (SOC 2) is an industry-recognized attestation report given to a company after an audit of the company’s internal practices. Our report describes the controls and processes Samsara has in place to secure customer data and to ensure availability of our system.

    Samsara's SOC 2 Type 1 report includes a description of our software infrastructure and the processes we have in place to keep our customers’ data safe and available. Some of the processes covered in our report are employee on-boarding and termination processes; internal access controls to production environments; and disaster recovery, data backup, and incident response processes. Samsara’s SOC 2 Type 1 report was provided by Schellman & Company, a licensed and independent certified public accountant firm.

    If you’re a current or prospective Samsara customer and wish to view the report, you can request a copy from your account representative.

    Backups
    Samsara performs regular backups of customer data. Alerting is configured to let internal staff know of backup failures to ensure timely remediation. Internal staff also performs backup restoration tests regularly to verify the integrity of the backup data.

    Vendor Management
    To run efficiently, Samsara relies on sub-service organizations. Where those sub-service organizations may impact the security of Samsara’s production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require service organizations to adhere to confidentiality commitments we have made to users. Samsara monitors the effective operation of the organization’s safeguards by conducting reviews of all service organizations’ controls before use and at least annually.

  • 24x7x365 Monitoring

    Penetration Testing
    In addition to our compliance audits, Samsara engages independent entities to conduct application-level, infrastructure-level, and hardware-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner. Customers may receive executive summaries of these activities by requesting them from their account executive.

    Customer Driven Audits and Penetration Tests
    Our customers are welcome to perform their own security testing on Samsara’s environment. Please contact your account executive to learn about options for scheduling either of these activities.

  • Redundant, Highly Available Infrastructure

    Samsara’s service is a distributed system designed to spread computation and data across multiple physical servers. Every customer’s data is replicated across multiple servers and storage appliances, so that hardware failure will not compromise service availability or customer data. Networks are multi- homed across a number of providers to achieve Internet access diversity.

    Datacenters are equipped with advanced fire detection and suppression equipment, including protection by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

    Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

    Samsara is designed for rapid failover in the event of a hardware failure or natural disaster. And Samsara sensors and gateways are equipped with on-board storage to save data locally in the event of a cloud service interruption, and will automatically upload buffered data upon service resumption.

  • Security Tools for Administrators

    Samsara provides administrative tools to protect your organization’s data, including user management with email verification, authentication audit logs, and two factor authentication (via Google Apps). Moreover, Samsara enforces robust user authentication, with data access requiring authentication via Samsara’s centralized server (no default passwords or shared secrets).

  • Security Disclosure Policy

    Samsara is dedicated to upholding the highest standards of security for our platform and openly working with the security community. Our vulnerability disclosure policy aims to provide a way for external researchers to report and remediate security issues. Samsara encourages security researchers to discover and report to Samsara any vulnerabilities they find in a responsible manner. Samsara expressly prohibits security researchers from performing actions that may negatively affect Samsara or its customers; accessing, destroying, corrupting (or attempting to access, destroy, or corrupt) data or information that does not belong to them; or social engineering any Samsara customer or employee.

    Reporting security issues
    If you have a security concern, please email security@samsara.com with details about the vulnerability such as the page in which it exists and a short description of the issue. Please do not include any details about steps to reproduce the issue until we request them. We ask that you not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Samsara security team will use reasonable efforts to respond in a timely manner, provide an estimated time frame for addressing the vulnerability, and notify you when the vulnerability has been fixed.