Unravel SaaS FAQ
Privacy
What types of data do you collect?
We only collect metadata and performance data from the data application jobs themselves. Unravel does not have access to the data stored in your data lake or other databases, and that data is not and cannot be shared with Unravel.
Does Unravel send data back to my data lake and other databases?
No, Unravel only collects metadata from jobs and pipelines run against your data lake and other databases as read-only and does not send anything back to you.
How much egress is estimated?
Based on our metrics, we estimate 1 GiB of data egress for every 1,000 running jobs per day.
Where is the account hosted?
Unravel is hosted on Azure, AWS and Google Cloud Platforms (GCP) but can be hosted on other cloud platforms by request.
Unravel SaaS Security FAQs
Architecture
How does the application access the database? What privileges are assigned to accounts that access the application database?
The database is accessed using standard Java, Python, and Node.js drivers, which support authentication and SSL/TLS. Unravel needs privileges to manage its schema in the database (tables, indexes, relations, functions, etc.). For details on Architecture, see here.
Authentication
Does the application support SSO for authentication? Is Single Sign-On (SSO) to be used?
SaaS is supported via SAML2.0 and OAuth.
Does the application use cookie-based session management or token-based session management such as JWT, OAuth, SAML, and API keys?
The application uses token-based session management. We support JWT (JSON Web Tokens) for stateless authentication, OAuth for delegated access control, and SAML for single sign-on (SSO). API keys are also used to secure API endpoints. Cookie-based session management is not utilized, ensuring that session informa
Do stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks?
Yes, the stateless session tokens (JWT) use digital signatures, encryption, and other countermeasures to protect against tampering, enveloping, replay, null cipher, and key substitution attacks.
Is the secure flag or HttpOnly set for session cookies?
No, the secure flag or HttpOnly is not set for session cookies, as the application does not use cookie-based session management.
Is the application using custom authentication? If 'Yes', where are the user credentials stored? Will authentication be facilitated via integration?
Yes, custom authentication is supported. The user credentials are stored in the database in hashed form. We only support Unravel’s native authentication with username and password.
Do any credentials need to be hard-coded in scripts, files, etc.?
No.
Is this application integrated with other applications?
Yes, it has many integrations. Some include CI/CD pipeline, Slack, email, SSO, etc.
Does the application enforce Two-Factor Authentication (2FA)? Is MFA implemented in the application?
No.
Are any Forgot password/Password reset features implemented in the application?
No.
Is account lockout enabled for multiple incorrect login attempts?
The SSO service enables account lockout functionality. This is not applicable if you are using the internal login method.
Does the application enforce step-up authentication for sensitive transactions?
No.
What are the password policies being applied? What controls are in place for password strength? i.e., Length, Numbers, Symbols, uppercase, minimum lifetime, and use of previous passwords. Required to keep passwords confidential, use complex passwords, and change passwords at periodic intervals?
Password policies are managed by SSO service.
Network and Server Security
How is the database accessed from the application? Through direct SQL queries or parameterized queries?
Parameterized queries.
Is the database shared with other applications?
No.
Does the application pass unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to an OS system shell?
No.
Identity and Access
Is authorization based on roles? If so, describe the users in terms of roles and the capabilities of each role.
Yes, authentication is based on roles. For more details see here.
How are any temporary files protected from unauthorized disclosure, alteration, and destruction?
Temporary files are written to <unravel-install-location>/tmp which is owned by and restricted to the user running Unravel.
What is the process of obtaining a user account?
This is typically managed by SSO; however, if you are using Unravel's built-in authentication, please contact Unravel support.
Compliance
Is Unravel SOC compliant?
Yes, Unravel is SOC2 compliant. See here for more information.
Is Unravel GDPR compliant?
Yes, Unravel is GDPR compliant.
Data Security
How does Unravel ensure data is secured when sending to Unravel Cloud?
We use TLS encryption, which is the same standard secure websites use to secure data in transit.
What ports do I need to open?
Port - 443.
Is the user input validated for special characters like '<> to prevent attacks like XSS, SQL Injection, etc.?
Yes, it is validated. We also do it after receiving any vulnerability report from internal security or penetration tests from a third-party vendor.
Do input validation routines consider equivalent (canonicalization) names such as Unicode or URL-encoded equivalents? File paths and URLs are particularly prone to canonicalization issues, and many well-known exploits directly result from canonicalization bugs.
Yes, our input validation routines consider equivalent names such as Unicode or URL-encoded equivalents. This helps prevent canonicalization issues which can lead to exploits. We perform these validations as part of our security measures, incorporating them into our regular internal security tests and third-party penetration tests.
Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?
Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.
Does the design require input validation on all input received from other systems, including form fields, query strings, cookies, and headers?
Yes. We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.
Does the server rely on JavaScript or other client-side means for validation?
Yes.
Is untrusted data encoded before it is reflected back to the output stream?
We do it after receiving any vulnerability report from internal security tests or penetration tests from a third-party vendor.
Does this application have file upload functionality? Is there a file upload or download component to the system? For example, can a user upload a file from their desktop/laptop to the application? What data elements are expected to be uploaded–e.g., email addresses, full names, etc.? What is the classification of this data?
Yes. With the app store feature, a user can upload a file from their laptop to the application. The data element expected to be uploaded is a micro-app given by Unravel for customized reports. File download is also supported for certain functionalities. CSV file download is used to download tabular data of jobs, users, clusters, queries, etc.
Where are the files stored? Database or file system?
File system.
What events are logged and audited?
Our system logs and audits a variety of events to ensure security and operational oversight. These include errors, exceptions, Spark workload statuses, configuration calls, Unravel CLI commands, and failed and successful login attempts.
Secure Configuration
Is a commercial-off-the-shelf (COTS) product being used? If yes, have all default passwords been de-activated?
We do not use commercial off the-shelf product
What is the sensitivity of the information assets that the software will store and process?
We process mainly the usage metrics and information exposed by the data platform at the runtime of these SQL and Spark jobs.
Is any sensitive information/token going to be included as a part of the GET request?
No. No sensitive info is included in the GET request.
Are unused methods like TRACE, PUT, DELETE, etc., disabled?
Yes, they are disabled.
Is the communication between the components, such as between the application server and database server, encrypted?
No.
How are exceptions handled in the application? Are there any custom error pages designed?
We use standard Java error packages. We do not have a custom error page.
Deployment
What other ways can I try Unravel?
Unravel supports AWS, Microsoft Azure, Snowflake, and Google Bigquery.
Where can I get access to the deploy guides and user guides?
All of our documentation is available at https://docs.unraveldata.com
Features
Is there someone I can speak to for support?
Feel free to reach out to
trials@unraveldata.com
or your dedicated assistant for your new account.Can I connect multiple platforms to Unravel as part of the new account?
Yes, access to multiple platforms from your account is available upon request. Get in touch with the dedicated assistant for your account or email us
trials@unraveldata.com
.What happens after my new account is created?
You will receive a verification email to confirm your email address, followed by a welcome email and login credentials.
Where can I sign up for Unravel SaaS for free?
Signup for Unravel SaaS here.
I have more questions; how can I get in touch with you?
Email us:
trials@unraveldata.com