Overview

Retrace utilizes a monitoring agent to monitor applications and resources from each server where the agent resides. The agent communicates outbound over Port 443 via SSL and encrypts all data in transit, with no inbound ports required to be open and no option for unencrypted transmission of data. In cases where APM+ is enabled, Retrace monitors performance information about queries and web service calls, and a signature for the query and web service is available in APM+ reporting. Retrace does not capture any sensitive information from these requests, and stores only anonymized data about said queries and web service calls.
No extra steps are required to mask sensitive data. By default, the agent collects no sensitive data from your servers, and can be installed safely in many regulated environments as a result.

With Retrace, you can aggregate logging data and errors from within applications with API, and from system resources via the agent if enabled for a given server. All error and log data is encrypted in transit, sent via SSL over Port 443. Retrace permanently purges the data from short-term and long-term storage once the data retention length specified by your subscription level is reached for a given set of errors and logs.
Error and log information sent to Stackify should be handled following the same best-practice rules of logging to a log file or other plain text destinations to ensure the highest degree of security: mask or omit any sensitive fields that could have compliance implications, and disable log shipping from any sources that you do not have confidence in and control over.

Retrace is hosted in data centers located in the United States that comply with key industry standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, Singapore MTCS, and more. Retrace’s data centers undergo regular audits to ensure all appropriate safeguards are in place at all times.

All data transmitted to Retrace from your environment is sent over an encrypted SSL channel. All clients receive their own database within our system for added security, performance, and scalability. Each client is also issued a unique encryption key that is used throughout the system to encrypt data in transit and at rest. Throughout our user interface and backend systems, multiple checks are performed to ensure that users cannot access data from other clients on accident, via SQL injection, or via query string type hacks.
Retrace’s database servers contain information about the client’s servers and applications. Data stored includes the IP address, server name, basic hardware specs and a list of applications installed on the servers. As part of server monitoring, Stackify stores performance metric data. Basic server information and metric data is not encrypted in storage as it is not considered sensitive and encrypting this volume of data would introduce unnecessary performance challenges.
The one area where Retrace cannot encrypt potentially sensitive data at rest is for error and log information. As cited above, please mask or omit any kind of PII or compliance-oriented data that you wouldn’t want stored as plain text; if you are following best-practice logging guidance already, this will already be addressed.

Users in Retrace are stored using email addresses as usernames, and a single email address may be associated with a single user in a single customer account. Each customer account may have unlimited users. Retrace provides a robust set of user and role based access controls to enable account administrators to control which resources, data, and permissions are available for all users of the account. Customers are responsible for managing users and permissions for their account.
In addition, Retrace also offers 2-Factor Authentication and Single Sign-On for enhanced security for your account.

By following Retrace’s installation best practice recommendations, it is possible to implement Retrace in a manner that does not interfere with compliance obligations.
When implementing in a healthcare environment, it is possible to implement Retrace without impacting HIPAA compliance obligations. By following the guidance in this document, Stackify will not receive any protected health information.
In a PCI compliant environment, it is possible to install Retrace behind a proxy server to satisfy the requirement to not allow any direct connections between the internet and the cardholder data environment.
For a more in-depth discussion about how Retrace fits into a regulated environment, or to discuss other regulatory environments than those listed above, please contact Stackify Support ([email protected]).

If at any time you are concerned that a security incident may have occurred or have a security-related question, please contact Netreo’s Support Team immediately at [email protected] or visit our support site at http://support.stackify.com. In the event that Netreo detects a security incident, we will proactively communicate, as appropriate, through email and/or our support site. Netreo also maintains a status page that can be found at http://status.stackify.com/.

If you have additional questions, you can search our support site at http://support.stackify.com, or contact the Netreo Support Team directly at [email protected].