Blackfire.io offers a performance monitoring solution and maintains cloud compliance certifications to meet industry standards. Responsibilities for these certifications are divided among the host, the application developer, and shared efforts.
Basic compliance questions can be handled by our support team via email.
Blackfire.io and customers often have shared responsibility for ensuring an up-to-date and secure environment. The customer is responsible for achieving and maintaining their own certifications and compliance.
The following is a general allocation of responsibilities between Blackfire.io and the customer. For more guidance on responsibility for specific certification requirements, refer to the relevant shared matrixes below.
Payment Card Industry (PCI) Data Security Standards (DSS) is a set of network security and business best practice guidelines that establish a “minimum security standard” to protect payment card information. Although Blackfire.io undergoes an annual third-party audit to maintain PCI DSS certification, no cardholder data is stored, processed, or transmitted in the Blackfire environment. Cardholder processing activity is discouraged. Please use a third-party processor.
Customers who want to run PCI workloads using Blackfire.io must adhere to and implement the measures contained in the Blackfire.io PCI Responsibility Matrix (Excel). This document provides guidance on shared responsibilities to achieve PCI DSS compliance using PCI DSS v4.0.1 as a reference.
While Blackfire.io provides a secure and PCI-compliant service, Blackfire.io does not store, process, or transmit Card Holder Data for facilitating or handling payments.
Note: Debug mode does not sanitize the data and there is a chance that CHD may be sent to the metric server. Hence, do not use debug mode in production environments.
Blackfire.io agent is HIPAA compliant only as a service offering of Platform.sh. Using Blackfire.io as a standalone product does not guarantee HIPAA compliance. All HIPAA workloads will run on the US-4 region.
Blackfire.io has SOC 2 Type 2 and PCI certifications. As a part of those third-party audits, we have been audited on overlapping HIPAA controls. Independent third-party audits provide an external examination of the controls we have implemented on our infrastructure and operations and ensure Blackfire.io commitment to complying with information security standards and industry best practices.
Please note that there is no certification recognized by the US Department of Health & Human Services for HIPAA compliance. Thus, complying with HIPAA is a shared responsibility between the customer and Blackfire.io.
Note: Debug mode does not sanitize the data and there is a chance that PII or ePHI will be sent to the metric server. Hence, do not use debug mode in production environments.
While Blackfire.io provides a secure and compliant service, the customer is responsible for ensuring that the environment and applications that they host are properly configured and secured according to HIPAA requirements (See our BF Shared Responsibility Matrix). Failure to do so results in a non-compliant customer environment.