ExtraHop Security & Compliance

ExtraHop Certifications and Security Operations Framework

The ExtraHop Security Operations Framework

ExtraHop is committed to protecting our customers and honoring the trust you've placed in us by allowing our people, products, and services into your environment.

Along with the following security programs and certifications, we've developed a comprehensive security operations framework based on NIST Cybersecurity Framework that guides our policies, processes, and procedures across the board. You can learn more about that framework in our Security, Privacy, and Trust overview.

Assurance Programs

SOC 2 Certification

SOC 2 and SOC 3

SOC 2 and SOC 3 reports are third party audits of a company's processing controls pertaining to consumer data. Customers and other interested parties use these reports to make sure a vendor is handling their data securely, and to better assess any remaining risks.

ExtraHop annually engages with a third party for SOC 2 and SOC 3 compliance audits for ExtraHop Cloud Services and ExtraHop Machine Learning Service. These reports cover security controls that include firewalls, audit logs, and access controls.

Existing customers can access current SOC 3 reports here.

Back to the Top

Privacy Programs

GDPR Certification


The General Data Protection Regulation (GDPR) is a law intended to improve the privacy, security and transparency in the use of personal data for European citizens. GDPR went into effect on May 25, 2018 and is among the most rigorous regimes that can be adopted by an organization in requiring accountability for the collection, protection and use of personal data.

ExtraHop's products and services comply with GDPR. Through our security and privacy programs, ExtraHop remains committed to ongoing GDPR compliance for the data we process for our customers. To do so, ExtraHop has paid particular regard to personal data lifecycle, privacy by default and design, data subject rights, data risk management, and security. ExtraHop has prepared a Data Processing Addendum for use by our customers processing European data, which complies with Article 28 of the GDPR. In addition to ExtraHop's participation in the US Privacy Shield Program, this addendum contains standardized EU Model Clauses approved by the EU Commission as an alternative basis for the transfer of personal data outside of the European Union.

U.S. Privacy Shield Certification

U.S. Privacy Shield

The U.S. Privacy Shield Framework is a replacement for the U.S. Safe Harbor Framework, which itself was a collaborative solution designed by the U.S. Department of Commerce and the European Commission in order to help U.S. companies comply with the EU's soon-to-be-defunct Directive on Data Protection.

The new Privacy Shield Framework offers a way for U.S. companies to comply with the General Data Protection Regulation (GDPR) which will go into effect in the EU in May 2018. Only through annual self-certification and third party assessment can U.S. organizations transfer personal data from the EU or Switzerland to the United States.

As a U.S.-based company active in the EU, ExtraHop joined the U.S. Privacy Shield program in 2018 and confirmed that our security controls are in compliance with framework requirements. You can verify our current standing on the U.S. Privacy Shield Framework website.

ExtraHop is committed to becoming a certified business under the new Trans-Atlantic Data Privacy Framework when program details are announced.

Back to the Top

Security Programs

ExtraHop is pursuing FIPS 140-3 Level 1 validation of the ExtraHop Cryptographic Module.

We are currently in the In Process stage and are awaiting final approval through NIST.gov. We anticipate receiving approval in the spring of 2023.

To learn more, see FIPS 140-2 Compliance on ExtraHop Systems.

Vulnerability Management

Penetration Tests

Penetration tests are deliberate attempts to exploit infrastructure vulnerabilities so organizations can a.) verify that their existing security controls are effective, and b.) identify any potential vulnerabilities that still need to be addressed.

ExtraHop undergoes regular penetration tests conducted by our internal security team as well as by independent third parties. We also perform security testing before each release.

Network Scanning

Network vulnerability scans are internal and external scans of an organization's network environment, used to identify potential vulnerabilities in websites, applications, and information technology infrastructures.

ExtraHop performs regular network scans and compiles detailed reports on known and emerging vulnerabilities.

Back to the Top

Secure Development Practices

Our Process, Your Security

We develop our appliances and software services according to the following Secure Development Lifecycle:

  1. Design. ExtraHop uses threat modeling and secure design techniques from day one
  2. Construction. We build our software using modern tools with secure functions enabled.
  3. Test. All components are subject to security testing.
  4. Vulnerability Response. Our commitment to customer security doesn't end when software ships. If issues are found, ExtraHop issues updates.

Internal Security Monitoring

ExtraHop On ExtraHop

It should come as little surprise that our internal teams use ExtraHop to maintain great visibility into our own networks, allowing our IT and security teams to identify potentially malicious activity just as our customers do.

Back to the Top