Security is part of our code
Software that works perfectly is software that’s secured properly. So, from start to finish, product to practice, we ensure we meet your security needs and provide you with transparency into everything we do.
Dynatrace security program
Data security controls
Data security controls are measures that safeguard sensitive information from unauthorized access, ensuring data integrity, confidentiality, and availability. Security controls implemented by Dynatrace are independently audited on a regular basis. They secure and encrypt your data end-to-end and provide real-time protection against cyber threats with Dynatrace Application Security.
Learn about the security controls that are included in the Dynatrace Security Development Lifecycle (SDLC) in our Documentation.
Your data is secured end-to-end
Created with a secure software development lifecycle (SDLC), independently audited and pen-tested with very strong security by default.
Non-privileged monitoring agents
Install monitoring agents (OneAgent) without the need for root permissions.
Automatic signature verification
Ensures integrity of Dynatrace components.
Single-Sign-On
Enterprise-grade single sign-on integration options for SAML 2.0, OpenID or LDAP.
Data encryption
Dynatrace SaaS uses TLS 1.2+ (SSL Labs Grade A+) to encrypt all data in transit between OneAgent, ActiveGate and Dynatrace Cluster. Dynatrace uses AES-256 encryption and key management for data stored.
Secure Dynatrace tenants
Your Dynatrace tenant features additional security measures beyond the security offered by the cloud providers (AWS, Azure, GCP) and your secure Dynatrace cluster.
Encryption
All data at rest is encrypted using AES-256 encryption.
API access management
Secure and highly configurable API access tokens. Automatic scans and notifications for the tokens you leak.
Audit logs
Each access is logged, time-stamped, and made available to you in an automated way via our REST API.
All authorized Dynatrace employees are bound by strict confidentiality agreements.
Data backups and disaster recovery
Every 24 hours, Dynatrace SaaS performs data backups that include the data captured for at least the last 30 days. The maximum recovery point objective (RPO) for a full cluster is 24 hours. The recovery time objective (RTO) takes up to 24 hours, depending on the size of the cluster.
Secret management
The credential vault is a centralized repository where you securely store and manage your credentials.
Business continuity and high availability
Dynatrace SaaS uses a clustered architecture, multiple availability zones (data centers), and automatic fail-over mechanisms to ensure availability.
Secure development lifecycle
To ensure secure development of its platform, Dynatrace has implemented controls and practices that cover the full development lifecycle starting with defining the requirements and design, through development, continuous integration hardening to production.
Learn about the security controls that are included in the Dynatrace Security Development Lifecycle (SDLC) in our Documentation.
Business practices & organizational security controls
Business continuity
We have built resiliency, failover, and rapid recoverability into our solutions, infrastructure, and business systems. Our global cloud focus and operational model allow us to limit vulnerability to regional technology outages.
Vendor management
We utilize an extensive vendor management evaluation process to evaluate the cyber risk of all our vendors. Vendors are evaluated prior to onboarding, and reviewed on a periodic basis or whenever there’s a significant change in their cyber risk rating. Risk ownership is clearly defined and regularly reviewed.
Employee security awareness
All Dynatrace employees and contractors must complete a Security Awareness Training course at their time of hire as well as on a yearly basis, covering topics like Ransomware, Social Media, Credential management, Impersonation Attack, Data handling, Fraud, Phishing, Identity Theft, etc.
Additionally, employees may undergo training focused around the nature of their job or role. As well, employees are tested quarterly for phishing identification. Remedial training is required for all failed tests.