Synopsys Cloud
Cloud native EDA tools & pre-optimized hardware platforms
Request a Free Trial →
Security Commitments
As an organization dedicated to protecting and securing our customers¡¯ applications, Synopsys is equally committed to our customers¡¯ data security and privacy. This statement is meant to provide Synopsys¡¯ customers and prospects with the latest information about our systems, compliance certifications, processes, and other security-related activities.
Information Security Policy
Synopsys has defined and published a set of information security policies which is:
- Based on ISO 27001, ISO 27002, NIST SP 800-53, NIST SP 800-171, and NIST CSF
- Approved by management
- Communicated to all employees and relevant external parties
- Reviewed annually by stakeholders
Product Security Assessments
Synopsys regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:
- Product-on-product (PoP) testing¡ªeach release of a product is scanned for security vulnerabilities.
- In-depth internal security assessments¡ªfor major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
- Threat modeling¡ªfor major new releases, Synopsys creates and/or updates threat models that provide a baseline for other security testing activities.
Security for Software as a Service
- Our SaaS offerings utilize industry leading cloud service providers, known for their security and protections; and must meet or exceed a set of rigorous security assessments, and security control requirements at Synopsys.
- In addition to the security provided by our cloud service provider (CSP), Synopsys uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.
Privacy
Please see our Privacy at Synopsys page here containing our Data Privacy and Protection Statement and our Website Privacy Policy.
Incident Management
- Synopsys has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
- The Information Security Incident Management Standard and Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
- Synopsys will notify customers consistent with the Data Privacy and Protection Statement referenced by our Privacy Policy.
Network Security
- Synopsys has deployed IDS/IPS, WAFs, Firewalls, and related technologies to protect against external threats.
- Network environments are physically and logically segregated; customer data are logically segregated.
- Security alerts are monitored 24x7 by a dedicated security team with a 5-min SLA for initial triage of critical alerts.
- Vulnerability scans are performed daily.
Encryption
- All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
- All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better.
- All persistent data are encrypted at rest in the CSPs using AES 256-bit encryption or better.
Availability, Backup, and Disaster Recovery
- High availability is achieved using the native cloud orchestration capabilities of Azure.
- If individual VM containers fail within a CSP availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete CSP availability zone or region, there is a process that will create a new instance in a different availability zone or region.
- In general, across all types of disaster situations, including failures beyond core infrastructure, Synopsys¡¯ recovery time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.
- Synopsys maintains a certification for Business Continuity Management System, ISO 22301:2019.
Access Management
- Only the customer has access to their own data. If Synopsys employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
- Multi-factor authentication (MFA) capability is provided to customers for accessing Synopsys applications.
Logging and Monitoring
- User and system administrator activities are logged and:
- Routed to a centralized SIEM for monitoring, analysis, and alerting
- Protected from tampering
- Retained for at least one year
Change Management
- Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
- All changes are logged via a ticketing system, and approvals are required and tracked.
- The technical review includes a risk assessment and all other technical aspects of the change.
Compliance
ISO 27001 Certified
ISO 22301 Business Continuity Management Certified
SOC 2 Type 1 / SOC 2 Type 2
Covering security, availability, and confidentiality
TISAX certification
Synopsys has completed a Trusted Information Security Assessment Exchange (TISAX) assessment. This standard provides the European automotive industry a consistent, standardized approach to information security systems.
Scope: EDA Level3 with Prototype - 2024 | S6NMKN
Scope: Information with High Protection, PikeTec - Europe ¨C 2024 | SWH934 | AP9W24-1
Inquiries
Please contact securityassessment@synopsys.com for further inquiries regarding security at Synopsys.