The integrity and confidentiality of your information are fundamental priorities for Matillion, We are committed to transparent practices that uphold the highest levels of security, allowing you to trust the full range of solutions we provide, now and in the future.
To continually enhance our security posture, Matillion performs ongoing evaluations of potential risks across all aspects of our organization, from internal operations to our diverse portfolio of products and services. We understand that the landscape of security is ever-changing and accept that no product, person, or process is ever complete, as such, we are committed to ongoing improvements and innovations while demanding quality within our security program.
An independent third-party auditor has rigorously evaluated our comprehensive security program against industry-leading standards, confirming our adherence to SOC2 Type II requirements.
Whilst we do not store or process much personal information of our customers, Matillion still complies with all obligations under the California Citizens Privacy Act.
Matillion have completed the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This is a transparent document providing customer visibility into specific provider security practices.
Matillion complies with all obligations under the European Union’s General Data Protection Regulation (GDPR) and DPA2018.
Matillion complies with HIPAA requirements for Protected Health Information (PHI) and will sign an appropriate Business Associate Agreement (BAA) with customers who are subject to HIPAA.
ISO27001 Stage 2 Audit was completed as of 20th September '22. There were no non-conformities found by our audit partner. Matillion has therefore been recommended for certification to ISO 27001. Also, a follow up year 1 review was completed on 20 February '24 with Matillion passed/compliant. See included certificate.
Matillion has undergone a full, external audit in line with the AICPA’s SOC2 certification framework. This framework assesses the security controls applied to our whole business to signal the importance of security to our customers.
Updated 09/07/2024 10:00 GMT
Matillion is aware that a security vulnerability in a well used third party library (OpenSSH Server) was reported on the 1st July 2024 known as CVE-2024-6387 or ‘regreSSHion’.
Note: Although the patched OpenSSH version still show as OpenSSH 8.7p1, the release 42 includes the patch for CVE-2024-6387 as mentioned in the linked changelog (https://gitlab.com/redhat/centos-stream/rpms/openssh/-/merge_requests/78/diffs).
Data Productivity Cloud is not affected by this vulnerability.
Published at 03-07-2024 3:00:00
Remote Code Execution vulnerability in Git (CVE-2024-32002)
Matillion is aware of the details of a critical vulnerability (CVE-2024-32002) that affects Git. We can confirm that neither Matillion ETL or Matillion Data Productivity Cloud are impacted by this vulnerability and customers do not need to take any action.
Published at 05/23/2024, 11:09 AM*
Published at 23-05-2024 23:00:00
Matillion is aware of CVE-2024-3400 which is present in specific versions of Palo Alto PAN-OS software. We can confirm that Matillion is not impacted by this vulnerability.
Published at 04/18/2024, 3:51 PM*
Published at 18-04-2024 18:00:00
Matillion are aware of the Redhat CVE-2024-3094 incident discovered on March 28 (https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users). This incident affects base operating system components.
That said, the current default Matillion ETL base image is Centos Stream 8 (Centos 7, prior to 1.68.) and as such, per Redhat's CVE notes, this version is not affected. You can confirm this yourself by running the xz --version command in a Bash component or terminal; it will respond with a version prior to 5.6.0: $ xz --version xz (XZ Utils) 5.2.5 liblzma 5.2.5
For customers who have installed on another base operating system than our default, or have manually forced an upgrade to this package, they should check whether they have an affected version of this library immediately. The affected versions are 5.6.0 and 5.6.1. Any systems with these versions should be stopped immediately. The exploit appears to allow root access to an attacker via SSH connection and any system which may be so contacted must be assumed to be compromised.
Published at 04/05/2024, 10:34 AM*
Published at 05-04-2024 5:30:00
(Non Security) Critical Advisory: Has your Matillion ETL (METL) instance stopped responding and are you unable to log in? Due to Matillion ETL (METL) license management defect, you need to patch to restore functionality. Simple to follow remediation instructions can be found here: https://docs.matillion.com/metl/docs/critical-advisory-licence-management-defect/
Published at 02/23/2024, 10:05 AM*
Published at 23-02-2024 23:00:00
Matillion's security team is aware of and responding to the announcement of a critical vulnerability in the libwebp image framework (CVE-2023-4863).
We are prioritising the rollout of security patches and the implementation of appropriate mitigation strategies to reduce the risk to our internal applications and environments.
Matillion ETL: We can confirm that the vulnerable libwebp package is present in our Matillion ETL AMI, however it is not utilised by Matillion ETL and as such we assess the risk to be low. We would recommend customers to apply the patch as soon as it is available from the vendor(s). Example: https://access.redhat.com/errata/RHSA-2023:5309
Data Productivity Cloud: Data Productivity Cloud does not to have libwebp package and as such is not considered vulnerable.
Please reach out to support if you require any assistance
Published at 09/29/2023, 8:48 AM*
Published at 29-09-2023 29:30:00
On May 31 and June 9, 2023, Progress Software announced the discovery of two critical vulnerabilities (CVE-2023-34362 and CVE-2023-35036) that could lead to escalated privileges and unauthorized access to their MOVEit file transfer product and environment.
On June 16, an additional critical vulnerability related to this issue, CVE-2023-35708, was announced.
Following our vulnerability response process, including a review of all environments, Matillion does not use MOVEit Transfer and MOVEit Cloud products and has no evidence at this time of any impact to customer data due to these vulnerabilities.
Published at 19-07-2023 19:00:00
---Matillion has been made aware of similar domains that claim to be operated by Matillion, these include matillion-okta.com and matillion-pro.com.
Abuse claims have been raised and as of today, all sites are now down. We will continue to keep our customers updated incase of any new developments.
Kind Regards,
Published at 04/20/2023, 3:58 AM
---Matillion has been made aware of a recent fraudulent website (http://uk-matillion.com) that claims to be running a promotional program in an attempt to get victims to deposit money through the site.
Matillion is working to ensure that this site is taken down, however it felt important to make all customers aware of the situation.
Kind Regards,
Published at 04/12/2023, 12:11 PM*
Published at 20-04-2023 20:00:00
Matillion is aware of the current discussions around the OpenSSL 3.0.7 vulnerabilities. At present we do not use the library within our default images and therefore Matillion products and services are not exposed to this vulnerability. We have also found no instances of the vulnerable version within our estate but we are continuing to investigate and gain assurance. Should we determine any exposure, then the remediation of this vulnerability will be completed in line with our Vulnerability & Patch Management process. We are also assessing if there has been any exposure within our third party supply chain, but so far have found no impacted services.
Published at 11/03/2022, 9:09 AM*
Published at 03-11-2022 3:00:00
As an organisation that is security conscious and values security, we are excited to announce the official launch of the Matillion Security Trust Center. By using this portal, you can request access to our compliance documents, review our standardized questionnaires such as the SIG and gain a general understanding of our security posture.
Over time, our team will be making changes to this portal as we implement new tools and processes in our environment. You can use the Subscribe button to receive email notifications for when our team has an important update, such as if we have an updated compliance report or if we have a status update regarding a major security vulnerability that has been recently discovered.
The Matillion Security Team
Published at 06/30/2022, 12:59 AM
Published at 30-06-2022 30:00:00