All FAQs

Overview


What is the Borneo Privacy data management Platform?

Borneo is a privacy data management platform that helps you to understand, identify and remediate privacy data risk at cloud scale. Fast-moving security teams use Borneo to prevent sensitive data mishandling, stop data leaks, and drive privacy compliance across their Data Infra, SaaS and APIs.

How does Borneo connect and read data from SaaS applications and Data Stores?

"Borneo's connector framework is designed to be easy to deploy, efficient, and scalable. We do this by running our connector, ingestion framework, and control policies close to the data as possible by directly integrating with the native data store or CorpApps API.
We do not rely on installing agents, deploying network scanners, Sidecar proxies, or inline proxies like other traditional solutions like DLPs and CASBs."

Does any of your data leave your environment? Do Borneo employees get access to your data?

No, You remain in complete control of your data, your data never leaves your cloud account, and our employees do not have any access to your data. Borneo is deployed in a Private SaaS model i.e., all our services are deployed directly on your AWS account.

Safe and friction-free deployment


What type of access is required by Borneo's employees to deploy the application/connector in your environment? What are the privileges associated with this access? For how long is such access required?

We do not require any access. Our deployment process is simple and fully automated for the customer to deploy it themself.

How does the Borneo service get updated?

We provide the customer with the relevant scripts and templates for the upgrade. The process is simple and takes a few mins. We can also help customers with the upgrade cycles in compliance with their internal access policies.

Simple and Predictable pricing


What is the infra and license cost for running Borneo?

The monthly infra costs of running the Borneo platform for either of the deployment models range b/w ~350-600 USD for mid to large-scale footprints. Our license pricing is an annual subscription model. We charge one flat fee per connector to keep our pricing simple, predictable, and cost-efficient.

Data Discovery

How does Borneo discover and classify sensitive data?

Borneo's platform includes a powerful ML-powered inspection service that includes pre-tuned data classifiers for most sensitive data categories i.e., Infotypes. Borneo not only discovers sensitive data across your cloud footprint but also automatically classifies it based on your internal data classification and handling policies. In addition to classification, Borneo's advanced algorithms give you sensitive data correlation across your data sources.

How many data classifiers (Infotypes) are supported by Borneo ?

Borneo supports 100++ ML-powered pre-configured data classifiers across various categories like PII, Healthcare, Finance, Government IDs, Credentials, and Developer Secrets.
You can find the exhaustive list here: Supported Infotypes.



Does Borneo support custom data classifiers (Infotypes)?

Yes, we do support custom infotypes based on customer requests. We ship custom infotypes within 3 business days. We discourage customers from adding their own REGEX's as they might result in high false +ve or false -ve's.

Does Borneo scan unstructured data? What about attachment unwrapping e.g. xlsx, pdf?

Borneo uses its data extraction and normalization framework to support both structured and unstructured data. Our extraction service supports an exhaustive list of file types. We will be launching OCR support in Q2. We currently do not support video or audio files.

How accurate is Borneo's data inspection? Do you have any industry benchmarks?

Borneo uses a multipass approach to ensure high accuracy. In addition to pattern matching, we look at the nearby score, frequency, fingerprinting, headers, metadata, etc. we can share our test benchmarks against other industry solutions for reference.

Can we set a threshold for certain high-risk infotypes? or tune it to reduce false +ve's?

Yes, the Borneo policy engine does support fine-tuning. We provide white-glove service to all our customers, where we work with them to understand, analyze, and tune our classifiers optimally for their specific environments.

Does the Borneo platform store any confidential/sensitive information in your backend?

We do not collect or store any sensitive data on the Borneo platform. We only save the insights about the findings, infotype details, location, number of matches, data source, etc. (e.g., the specific S3 object or Slack channel that contained the infotypes). 



Extensive Integrations for Alerts and SIEMs


Do you support any integrations for Incident alerts or SIEM's?

Yes, Borneo supports integrations for sending all of the findings/remediations to your SIEM/ticketing system of choice like Jira, Email, Splunk, SNS, EMail, API, etc.


Automate compliance and flexible policy enforcement.


Does Borneo have a Policy UI for fine-tuning, setting up detection thresholds?

Our PoC does not ship with a Policy UI. Our production version does have a policy UI for infotype to classification level mapping, adding exclusion rules which can be customized to reduce noise for your environment. We also support custom configuration to fine-tune your PoC instance to reduce false +ve's or alert noise during your trial phase.

Does Borneo support automatic data mapping to Privacy regulations like GDPR, HIPAA, CCPA, PDPC, etc?

Yes. Borneo comes pre-configured with default rulesets for automatically mapping sensitive data to most privacy regulations like CCPA, PDPA, GDPR, HIPAA etc to fast your compliance efforts and helping with consistent and continuous compliance across your data footprint.
Yes. Borneo comes with pre-tuned classifiers for all 18 HIPAA infotypes considered as protected class or PHI, pl refer to :

Integrated insights, Analytics, and Reporting.


Does Borneo provide insights dashboard and custom analytics?

Yes, all our insights are piped into a central queriable elastic data store. We ship with a default kibana instance and frequently used dashboard. We can ship a custom dashboard based on your requirements or provide easy integrations with your existing analytics tools.

Sensitive data classifiers aka Infotypes supported out of the box.

How many data classifiers (Infotypes) are supported by Borneo?
Borneo supports 100++ ML-powered pre-configured data classifiers across various categories like PII, Healthcare, Finance, Government IDs, Credentials, and Developer Secrets. You can find the exhaustive list here:

Corporate Application Solution

What Corporate application connectors are supported by Borneo?

Borneo provides ~15++ Out of the box connectors for most commonly used corporate applications like Slack Business, Slack Enterprise, Jira, Confluence, Github, Gmail, GDrive, Salesforce, Zendesk, Zoom, Splunk, and more.

Safe and friction-free deployment

How quickly can you get Borneo up and running in your environment?

Borneo provides a simple and automated deployment process to get you up and running in ~ 10 minutes.

What are the deployment options for Borneo? What do we need to provision at our end?

We support two Deployment models
  1. 1.
    Helm + EKS model of deployment: We will provide the helm charts. If the Customer does not have an EKS cluster, we can help them create one using “eksctl”, “cloudformation” or “terraform” 
. Deployment time ~10 min.
  2. 2.
    AMI model of deployment: We will provide an AMI, which customers will use to create an EC2 instance.
 Deployment time ~15 mins.

Self-service, contextual remediation.

Does Borneo provide any automatic remediation workflows?

Yes, Borneo supports multiple manual and automatic remediation workflow such as -
  • Ability to review and directly notify the user of their action - you can customize the message sent out to the users
  • Automated timed deletion/cleanup - This will delete the content after a certain configurable time duration, which is most preferred as it reduces the risk surface with the least amount of noise or overhead for both user and security team
  • Admin alert with optional admin triggered deletion.

Slack Connector

Does Borneo only support public channels in Slack? Is there support for scanning private channels/direct messages, connected channels, without adding the app to each one?

Our PoC version currently only supports scanning Public channel. You will need to add the app in the admin channel for the PoC to receive the notification . However, you can skip this in our production version if you chose to end the notification directly to your SIEM (Jira, Splunk, etc)—
For our Enterprise version, there is no need to add the app to every channel (public, private or direct). You just need to authorize the app into your lack workspace.

What about external channels?

We do support slack communication on external channels including the ability to monitor new external channels and enable automation monitoring of new external channel (beta).

What are the limits on file sizes for data inspection?

Please note our PoC version has a file size limit of 10MB. Our production version has a limit of 100MB. Do let us know if you want higher limits.

What all controls are in place to prevent API abuse since Borneo uses API based authentication?

  • To monitor and manage API calls coming from automated scripts (bots), we have monitoring in place on the Slack end and we also use limit/budget tags on AWS to ensure, we don't overrun the system.
  • To drop primitive authentication, we only use Slack-approved OAuth.
  • To implement measures to prevent API access by sophisticated human-like bots, we do not support any open / publicly accessible APIs. The internal-only API for config is set up behind the customer VPN and is authenticated.
  • To support robust encryption, we only use Slack-approved/provided endpoints.
  • Token-based rate-limiting equipped with features to limit API access based on the number of IPs, sessions, and tokens based on Slack's approved rate limits -

Data Infrastrucutre connectors

What Infra connectors are supported by Borneo?

Borneo provides ~10++ Out of the box connectors for most commonly used AWS data stores S3, RDS, Dynamo DB, Presto, Redshift, Kafka, Elastic Search, DocumentDb, and self-hosted databases like Postgress, MariaDB, etc.

Safe and friction-free deployment

How quickly can you get Borneo up and running in your environment?

Borneo provides a simple and automated deployment process to get you up and running in ~ 30 minutes.

What are the deployment options for Borneo? What do we need to provision at our end?

Borneo is deployed in your existing AWS account, or you can provision a new account for the same. We provide cloud formation or terraform templates to provision the underlying resources and install all our services automatically.

How often does Borneo run the data scans?

Borneo scans are run every 30 mins across your data footprint, using its propriety sampling algorithm. Ping us for details on how our sampling works.

Elasticsearch & EC2 instance sizing: not clear what instance size would be the best fit for our needs?

Based on our experience with other customers, we start with the defaults of t2.xlarge for ECS and c5.large for Elasticsearch. However, according to metrics, we can scale the cluster or change the instance type of both Elasticsearch and ECS cluster instances.

Others

Would like to hear more about why a tool like this is necessary vs a well-designed system of table tags and RBAC in snowflake/okta?

Borneo doesn’t replace the need for RBAC based on table tags but is a complimentary solution, as it can help automate the process of managing the table tags. I.e. instead of solely relying on data custodians to manually update table tags as and when data schemas change, Borneo can detect such changes automatically and propose accurate tags based on the actual data in each table. In addition to the above, we want to take it further as part of our remediation flow by automating rules. For example, if we detect PII info in tables where it isn’t supposed to be there, we can create masking rules in Snowflake so that data isn’t shown to users, and trigger new preventive actions. - and of course, we do deep inspection of the actual data structured and unstructured vs just relying on meta data to give you much better accuracy and cover of PII

Do you scan encrypted data in S3?

We do support scanning of encrypted data in S3 in the following scenarios:
  • Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
  • Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
We currently do not support:
  • Server-Side Encryption with Customer-Provided Keys (SSE-C)
  • Client-Side Encryption
How add a new admin user to access the Borneo dashboard?
We use Amazon Cognito to manage the admin accounts. Go to the AWS Cognito console and locate sz-prod-cognitopool. You can also add new user accounts and perform a password reset through this console.
Follow this to complete the steps.
2-minute video tutorial

Does Borneo support cross-region scanning of AWS accounts?

No, we restrict our scans to within the regions to optimize cost by reducing cross-region data transfer costs. We can run multiple versions of our data connectors close to the source if you require cross-region scanning.

I don't see any data or scan details on the dashboard.

To enable Borneo to scan your data sources such as S3 and DynamoDb, you need to add an AWS account to the dashboard. Ensure you have access to the AWS console, and then follow this to complete the steps.
5-minute video tutorial

I have added the AWS account but still do not see any data/scans details.

The scans run twice every hour. Login to the Borneo dashboard and go to "Sources" and select Amazon S3 to view bucket and account level stats. Please let us know if you have any questions or prefer to connect over a call to get a dashboard walkthrough.

Borneo's "Observer" service is subscribed to S3 events, but I want to subscribe my own service instead.

The "Observer" service is part of the Borneo for AWS Data Infrastructure solution. It uses Amazon S3 Event Notifications to detect when new objects are added to monitored S3 buckets, and ensures the new objects get scanned for sensitive infotypes. (Up to a given, per-bucket rate limit.) Borneo will periodically attempt to subscribe to object create events for all monitored S3 buckets. The name of the even notification will be observer-service-event-listener and the target will be an Amazon Simple Queue Service (SQS) queue with the name sz-prod-s3-observer-queue.
Amazon S3 only supports a single destination for each supported event type. If another destinations is already set up for object create events, the Observer service will not be able to receive object create events. However, Borneo's continuous background scans will still perform period sample scans on the bucket.
If Borneo's Observer service is subscribed to a bucket's events, but you want a different service to receive create object events for that bucket, you have two options: You can simply replace the observer-service-event-listener notifications without impacting Borneo's operations – the continuous background scans will continue to cover the bucket, but Borneo's ability to detect new objects with sensitive infotypes for that bucket will be impaired. Or if you want both Borneo as well as your own service to receive object create notifications, you can use an Amazon Simple Notification Service (SNS) topic for fan-out of S3 notifications instead.
Copy link
Contents
Overview

What is the Borneo Privacy data management Platform?
How does Borneo connect and read data from SaaS applications and Data Stores?
Does any of your data leave your environment? Do Borneo employees get access to your data?
Safe and friction-free deployment

What type of access is required by Borneo's employees to deploy the application/connector in your environment? What are the privileges associated with this access? For how long is such access required?
How does the Borneo service get updated?
Simple and Predictable pricing

What is the infra and license cost for running Borneo?
Data Discovery
How does Borneo discover and classify sensitive data?
How many data classifiers (Infotypes) are supported by Borneo ?
Does Borneo support custom data classifiers (Infotypes)?
Does Borneo scan unstructured data? What about attachment unwrapping e.g. xlsx, pdf?
How accurate is Borneo's data inspection? Do you have any industry benchmarks?
Can we set a threshold for certain high-risk infotypes? or tune it to reduce false +ve's?
Does the Borneo platform store any confidential/sensitive information in your backend?
Extensive Integrations for Alerts and SIEMs

Do you support any integrations for Incident alerts or SIEM's?
Automate compliance and flexible policy enforcement.

Does Borneo have a Policy UI for fine-tuning, setting up detection thresholds?
Does Borneo support automatic data mapping to Privacy regulations like GDPR, HIPAA, CCPA, PDPC, etc?
Does Borneo support all info types related to HIPAA?
Integrated insights, Analytics, and Reporting.

Does Borneo provide insights dashboard and custom analytics?
Sensitive data classifiers aka Infotypes supported out of the box.
Corporate Application Solution
What Corporate application connectors are supported by Borneo?
Safe and friction-free deployment
How quickly can you get Borneo up and running in your environment?
What are the deployment options for Borneo? What do we need to provision at our end?
Self-service, contextual remediation.
Does Borneo provide any automatic remediation workflows?
Slack Connector
Does Borneo only support public channels in Slack? Is there support for scanning private channels/direct messages, connected channels, without adding the app to each one?
What about external channels?
What are the limits on file sizes for data inspection?
What all controls are in place to prevent API abuse since Borneo uses API based authentication?
Data Infrastrucutre connectors
What Infra connectors are supported by Borneo?
Safe and friction-free deployment
How quickly can you get Borneo up and running in your environment?
What are the deployment options for Borneo? What do we need to provision at our end?
How often does Borneo run the data scans?
Elasticsearch & EC2 instance sizing: not clear what instance size would be the best fit for our needs?
Others
Would like to hear more about why a tool like this is necessary vs a well-designed system of table tags and RBAC in snowflake/okta?
Do you scan encrypted data in S3?
Does Borneo support cross-region scanning of AWS accounts?
I don't see any data or scan details on the dashboard.
I have added the AWS account but still do not see any data/scans details.
Borneo's "Observer" service is subscribed to S3 events, but I want to subscribe my own service instead.