SolarWinds Technical and Organizational Measures

The following Technical and Organizational Measures (TOMs) apply to SolarWinds’ processing of Personal Data under the SolarWinds Customer Data Processing Addendum and SolarWinds Data Transfer Addendum Controller to Controller, as applicable. Any capitalized terms used but not defined have the meanings set out in the Customer Data Processing Addendum or the Data Transfer Addendum. Further details on SolarWinds’ security posture can be found in our Trust Center. SolarWinds’s Privacy Notice contains more information on how SolarWinds collects, uses, and disclose Personal Data.

1. Information Security Program

  • SolarWinds maintains an information security program designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
  • The program operates under an Information Security Management System (ISMS) with defined roles, responsibilities, and senior leadership oversight, supported by documented security, privacy, and risk management policies and standards

2. Access Control and Authentication

  • Access to systems and Personal Data is restricted based on business need and least‑privilege principles.
  • Unique user identities are provisioned through controlled approval workflows.
  • Authentication controls, including multi‑factor authentication for privileged or sensitive access, are used to prevent unauthorized access.
  • Access rights are reviewed periodically and are removed or adjusted following role changes or termination, in accordance with established processes.

3. Data Protection

  • SolarWinds applies safeguards to protect Personal Data throughout its lifecycle. 
  • Data is protected using industry standard cryptographic measures for transmission and storage, supported by secure key management practices and access logging. 
  • Where appropriate, data is handled in a manner intended to reduce identifiability. 
  • Processing environments are designed to limit unnecessary exposure through appropriate separation, and access to data is monitored to detect unauthorized activity. 
  • Backups are safeguarded using appropriate protective measures. 

4. Network and Communications Security

  • Secure communication protocols and approved connectivity mechanisms are used to protect data during transmission. 
  • Network access is restricted and monitored, and remote connectivity is protected through controlled access mechanisms with strong authentication.
  • Data transfers are limited to approved channels and monitored to reduce the risk of unauthorized disclosure. 

5. Secure Development and Change Management

  • SolarWinds follows secure development lifecycle practices designed to reduce security risks in software development. 
  • Changes to systems and applications are managed through documented change and configuration management processes that include appropriate approvals, segregation of duties, testing, and auditability.

6. Physical and Environmental Security

  • Facilities that process Personal Data implement physical and environmental security controls designed to prevent unauthorized access, damage, or interference. 
  • Physical security controls may include restricted physical access, monitoring, visitor management, and environmental protections such as fire detection, climate controls, and resilient power systems, as applicable. 
  • Physical access is centrally managed and periodically reviewed. 

7. Logging and Monitoring

  • Systems, applications, and network devices generate security and audit logs that record relevant access and activity. 
  • Logs are protected from unauthorized access and are reviewed or monitored in accordance with defined procedures and retention practices to support monitoring, investigation, and compliance obligations.

8. Incident Response

  • SolarWinds maintains incident response procedures designed to detect, assess, respond to, and recover from security incidents. 
  • Security events are evaluated and managed in accordance with documented processes, with escalation and customer notification handled in line with contractual and legal requirements.

9. Business Continuity and Availability

  • Business continuity and disaster recovery measures are implemented to support the availability and resilience of services. 
  • These measures include backup and recovery processes, redundancy, and testing intended to support restoration of data and service availability following an incident, where applicable. 

10. Risk Assessment and Security Assurance

  • SolarWinds conducts periodic risk assessments and security testing activities, including vulnerability scanning and independent assessments where appropriate. 
  • Findings are tracked through formal risk and remediation processes. 
  • Independent assurance, such as SOC 2 Type II reports and ISO/IEC 27001 certification, is maintained for relevant services as applicable. 

11. Personnel Security and Training

  • Personnel with access to systems or Personal Data may be subject to background checks where permitted by law and are required to complete onboarding and ongoing security and privacy training. 
  • Role based training is provided where appropriate to support secure operations. 

12. Vendor and Sub processor Management

  • SolarWinds maintains a third party risk management process designed to assess and manage security risks associated with vendors and sub processors. 
  • Vendors with access to Personal Data are required to meet applicable security and privacy obligations consistent with contractual requirements. 

13. Data Retention and Deletion

  • Personal Data is retained only for the period necessary to fulfill contractual, legal, or operational requirements. 
  • Upon termination or expiration of services, Personal Data is deleted or otherwise handled in accordance with contractual commitments and applicable law, and any residual copies retained for legal or compliance purposes remain protected under the same security measures.