Security at Memfault
Protecting You and Your Customers
At Memfault, we understand the importance of protecting not only our customers but their customers as well. We have features in place to ensure we meet the security and privacy policies of your organization.
OUR CERTIFICATIONS
Security Compliance
SOC 2 Type II Certified
The SOC 2 Type II certification affirms that a verified, independent third party has formally reviewed Memfault’s infrastructure, software, data, people, policies, procedures, and operations. Memfault’s SOC2 Type II Report is available upon request under NDA.
PRIVACY
Full Data Encryption
Memfault is GDPR compliant, and we have a form DPA available upon request.
Device → Cloud
All data sent from the device to the Memfault cloud is encrypted via HTTPS and the latest versions of TLS where applicable. No networking connections used by Memfault for any purpose ever send unencrypted data. Memfault Customers are in full control of the exact data sent from the device, ensuring they can remove any sensitive PII (Personal Identifiable Information) or other info they don't want to collect.
Cloud
All data is encrypted at rest. We are hosted on AWS and encrypt all data at rest with keys managed in KMS and AWS SSE-S3. Crash reports uploaded to our service are encrypted using a key, which is unique to each project. This guarantees that this data cannot be shared between customers.
LEARN MOREPer-Organization Encryption
Raw binary data sent by devices and stored by Memfault is encrypted at rest. Device data stored by Memfault in AWS S3 is encrypted with a unique encryption key per customer using AWS SSE-C.
LEARN MOREOn-Device Data Collection
For all Memfault device SDKs, the customer is in complete control of the data that is sent to the Memfault service.
For Android devices, data can be scrubbed and filtered before it leaves the device. Scrubbing and filtering rules can be updated in our dashboard and are automatically propagated to the devices.
For MCU devices, the customer is in control of the device sent to Memfault. We recommend scrubbing memory regions, personally identifiable information, and sensitive data from any data collected before sending it to Memfault.
For Linux devices, customers have the ability to determine what data they’d like to collect. We’ve also added support for forced (non-interactive) updates, a critical feature for delivering security updates to devices.
Cloud Infrastructure
Memfault is hosted on cloud infrastructure from Amazon Web Services. We perform daily backups and can scale to meet performance needs.
Authentication
Memfault Web App Access
Single sign-on
Enterprise-grade single sign-on (SSO) allows users of an organization to log in using the organization’s third-party identity provider. Memfault supports Google OAuth, Microsoft OAuth, and many SAML-based identity providers (IDP). Learn more.
Memfault API and Memfault CLI Access
Organization Auth Token
Requests authenticated via an Organization Auth Token can only access the resources of their respective organization. Admins can create and delete Organization Auth Tokens. Learn more.
User API Key
Requests authenticated via a User API Key can access the resources of all the organizations a user has access to (except when SSO is required). Learn more.
Device SDKs and Usage
The Memfault Firmware and Android SDKs were purposely designed for low bandwidth, embedded hardware environments. Our SDKs are restricted to requesting pre-defined data sets and configuration, so they will never be able to inject code or run arbitrary scripts.
DEVICE SDKs AND USAGE
Memfault Firmware SDK
The Memfault Firmware SDK is capable of collecting full device coredumps, debug registers, logs, and custom metrics. Data collected is first compressed and then broken up into packets that can be as small as 9 bytes. The packets can be sent over any network technology, such as Bluetooth, LTE, WiFi, LoRa, Zigbee, proprietary protocols, and more, and using any combination of protocols. The data can also be collected after the fact from an SD card or hard drive and uploaded to Memfault at a later time.
A typical MCU device configured with a minimal configuration generates as little as hundreds of bytes of data per day. The cadence at which telemetry data is stored and sent from a device as well as the size of the data is fully configurable by the customer for further optimization.
The Memfault firmware SDK is source-available on GitHub at https://github.com/memfault/memfault-firmware-sdk.
Memfault Android Bort SDK
The Memfault Android (Bort) SDK collects crashes, metrics, reboots, and logs from the entire device (from device drivers, to system services, and applications). Custom Metrics can be added using on-device APIs. Learn more.
Data can either be collected using bugreports, or Memfault Caliper – an alternative collection mechanism where what data is collected is completely configurable. Individual types of data collection can be enabled/disabled, privacy rules configured (including log scrubbing) from the Memfault dashboard. Learn more.
The Memfault Bort SDK is source-available on GitHub at https://github.com/memfault/bort.
Memfault Linux SDK
The Memfault Linux SDK relies on well-established, battle-tested open-source software and provides our core platform features such as collecting crash reports, metrics, reboot reasons, and logs from the entire device.
With its compatibility with the hawkBit API, customers can point a compatible OTA on-device agent, such as SWUpdate, to Memfault’s endpoints to gain access to insightful device data. Learn more.
The Memfault Linux SDK is source-available on GitHub at https://github.com/memfault/memfault-linux-sdk.