Conductor IT and Security FAQ

Is Conductor a cloud-based or on-prem solution?

Conductor is a fully cloud-based solution hosted in our private cloud within Microsoft Azure or Google Cloud Platform (GCP), depending on geographic location. An on-premises version of Conductor is not currently available.

How is data encrypted at rest and in transit?

All Conductor is encrypted, both at rest and in transit. Azure databases are encrypted using Transparent Data Encryption (TDE). Data in transit is encrypted on SSL connections using TLSv1.2.

What data privacy regulations does Conductor comply with?

Conductor is fully compliant with GDPR and HIPAA. Our Privacy Policy includes details of our compliance with various global privacy requirements, including California, Europe, the United Kingdom, Uruguay, Japan, Argentina, and Singapore.

Can we control where our data resides?

Our global customer base often has stringent requirements for where their data can reside. Conductor can be hosted in almost any Microsoft Azure Availability Zone globally. Our dedicated Kingdom of Saudi Arabia hosting is provided in the Google Cloud Platform (GCP) Dammam region. Please speak to your Conductor Account Executive or Customer Success Coach about your specific data residency requirements.

How do you ensure the security of sensitive data?

We take the security of your data very seriously and follow industry best practices at all times.

As documented throughout this FAQ, Conductor is SOC 2 certified by Deloitte, and our teams follow rigorous, secure engineering processes at all times. We conduct regular, third-party security tests in order to ensure our various hosting environments remain entirely secure. All data is encrypted, both in transit and at rest. No customer data is present in our engineering and test servers. Conductor's enterprise-grade permission system, connected to our customers' SSO authentication, ensures the security and privacy of all data within our platform.

What identity management systems does Conductor support?

Almost all Conductor customers have SSO setup, generally through Active Directory/Entra ID. Additionally, Conductor supports all major SSO providers. Username/password authentication is also available for third parties, vendors, etc., on named accounts. Customers may also choose to have Conductor users provisioned through integration with Active Directory/Entra ID.

How are user access and permissions controlled and audited?

Conductor's enterprise-grade access and permission controls provide individual, role, and group-based access and deny settings at all levels of the Conductor work hierarchy, including workspaces, initiatives, workstreams, and projects. Access can be controlled by admins directly within the platform, and admin permission can be granted to users at any level of that hierarchy (i.e., a Project Manager can be given permission to manage access to their project).

Conductor records all changes to data, including access and permission controls, and makes them available via audit reports.

What are the processes and policies for handling user deactivation and access revocation?

Admins can remove access through Conductor's Admin Suite, with all live sessions being immediately deactivated for users whose access has been revoked. Conductor can support legal holds for all information related to deactivated users.

For customers who have integrated user provisioning from their Active Director/Entra ID, deactivated users in that system will be deactivated on the next scheduled sync of user information to Conductor.

What industry-standard security certifications does Conductor hold?

Conductor is SOC 2 audited by Deloitte. A copy of our SOC 2 certification is available upon request.

Conductor is hosted in Microsoft Azure and Google Cloud Platform, which both meet many global certifications, including ISO 27001. For more information, see Microsoft Azure compliance and Google Cloud Platform compliance.

Are third-party audits and penetration tests conducted regularly?

Sensei Labs performs regular third-party audits and penetration tests. A full attestation is available upon request.

What are the platform’s backup and disaster recovery plans?

All Conductor instances are regularly backed up. Sensei Labs maintains a Disaster Recovery plan, which is available upon request. The plan documents the process of recovering and protecting Sensei Labs infrastructure in the event of a disaster, including losing an entire region that hosts production.

How are customers notified of security incidents, including breaches?

We're proud that Sensei Labs has never experienced a security incident or breach. In the unlikely event that should occur, our customers will be notified as soon as possible, within 24 hours, of any security incidents. A full security report will be sent within 72 hours.

What service-level agreements (SLAs) are in place for uptime and data availability?

Sensei Labs provides a 99.9% uptime guarantee for Conductor. Our SLAs vary by the severity of the incident being reported: