SOC 2 Type II Report

For the period of December 1, 2019 To November 30, 2020

REPORT ON CONTROLS PLACED IN OPERATION AT AQUA SECURITY RELEVANT TO

SECURITY, AVAILABILITY AND CONFIDENTIALITY
WITH THE INDEPENDENT SERVICE AUDITOR'S REPORT
INCLUDING TEST PERFORMED AND RESULTS THEREOF.

CONFIDENTIAL INFORMATION

The information contained in this report is confidential and shall not be duplicated, published, or disclosed in whole or in part, or used for
other purposes, without the prior written consent of Aqua Security Software Ltd. Corporate Entity.
SECTION I - AQUA SECURITY’S MANAGEMENT ASSERTION

January 1, 2021

We have prepared the accompanying description of Aqua Security platform (Description) of Aqua Security Software Ltd.
(Service Organization) in accordance with the criteria for a description of a service organization’s system set forth in the
Description Criteria DC section 200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2
Report (Description Criteria). The Description is intended to provide report users with information about the Aqua Security
platform (System) that may be useful when assessing the risks arising from interactions with the System throughout the
period December 1, 2019 to November 30, 2020, particularly information about system controls that the Service Organization
has designed, implemented and operated to provide reasonable assurance that its service commitments and system
requirements were achieved based on the trust services criteria for Security, Availability and Confidentiality set forth in TSP
section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (applicable
trust services criteria).

Aqua Security Software Ltd. uses Amazon Web Services to provide Infrastructure Management Services. The Description
includes only the controls of Aqua Security Software Ltd. and excludes controls of Amazon Web Services. The Description also
indicates that certain trust services criteria specified therein can be met only if Amazon Web Services' controls assumed in
the design of Aqua Security Software Ltd.’s controls are suitably designed and operating effectively along with the related
controls at the Service Organization. The Description does not extend to controls of Amazon Web Services.

The Description also indicates that certain trust services criteria specified in the Description can be met only if user entity
controls assumed in the design of Aqua Security Software Ltd.’s controls are suitably designed and operating effectively, along
with related controls at the Service Organization. The Description does not extend to controls of user entities.

With regard to the effect of the COVID-19 pandemic, there were no significant changes to the Elasticsearch Platform System
which resulted in the failure to meet the principal service commitments and system requirements based on the applicable
trust services criteria and CCM criteria.

We confirm, to the best of our knowledge and belief, that:

a. The Description presents the System that was designed and implemented throughout the period December 1, 2019
to November 30, 2020 in accordance with the Description Criteria.

b. The controls stated in the Description were suitably designed to provide reasonable assurance that the service
commitments and system requirements would be achieved based on the applicable trust services criteria, if the
controls operated as described throughout the period December 1, 2019 to November 30, 2020.

c. The Aqua Security Software Ltd. controls stated in the Description operated effectively throughout the period
December 1, 2019 to November 30, 2020 to achieve the service commitments and system requirements based on
the applicable trust services criteria.

Signature
Title Chief Information Security Officer

Page |1
 Kost Forer Gabbay and Kasierer Tel: +972-3-6232525
144 Menahem Begin Road Fax: +972-3-5622555
6492102,Tel-Aviv, Israel ey.com

SECTION II - INDEPENDENT SERVICE AUDITOR’S REPORT

The Board of Directors

Aqua Security Software Ltd.

Scope
We have examined Aqua Security Software Ltd.’s accompanying Aqua Security platform system throughout the period
December 1, 2019 to November 30, 2020 (Description) in accordance with the criteria for a description of a service
organization’s system set forth in the Description Criteria DC section 200 2018 Description Criteria for a Description of a
Service Organization’s System in a SOC 2 Report (Description Criteria) and the suitability of the design and operating
effectiveness of controls included in the Description throughout the period December 1, 2019 to November 30, 2020 to
provide reasonable assurance that the service commitments and system requirements were achieved based on the trust
services criteria for Security, Availability and Confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for
Security, Availability, Processing Integrity, Confidentiality, and Privacy (applicable trust services criteria).

Aqua Security Software Ltd. uses Amazon Web Services (subservice organization) to provide Infrastructure Management
Services. The Description indicates that complementary subservice organization controls that are suitably designed and
operating effectively are necessary, along with controls at Aqua Security Software Ltd., to achieve Aqua Security Software
Ltd.’s service commitments and system requirements based on the applicable trust services criteria. The description presents
Aqua Security Software Ltd.’s system; its controls relevant to the applicable trust services criteria; and the types of
complementary subservice organization controls that the service organization assumes have been implemented, suitably
designed, and operating effectively at Amazon Web Services. Our examination did not extend to the services provided by
Amazon Web Services and we have not evaluated whether the controls management assumes have been implemented at
Amazon Web Services have been implemented or whether such controls were suitably designed and operating effectively
throughout the period December 1, 2019 to November 30, 2020.

Aqua Security Software Ltd.’s responsibilities

Aqua Security Software Ltd. is responsible for its service commitments and system requirements and for designing,
implementing, and operating effective controls within the system to provide reasonable assurance that the service
commitments and system requirements were achieved. Aqua Security Software Ltd. has provided the accompanying
assertion titled, SECTION I - AQUA SECURITY’S MANAGEMENT ASSERTION (Assertion) about the presentation of the
Description based on the Description Criteria and suitability of the design and operating effectiveness of the controls
described therein to provide reasonable assurance that the service commitments and system requirements would be
achieved based on the applicable trust services criteria. Aqua Security Software Ltd. is responsible for (1) preparing the
Description and Assertion; (2) the completeness, accuracy, and method of presentation of the Description and Assertion; (3)
providing the services covered by the Description; (4) identifying the risks that would threaten the achievement of the service
organization’s service commitments and system requirements; and (5) designing, implementing, and documenting controls
that are suitably designed and operating effectively to meet the applicable trust services criteria stated in the Description.

Service auditor’s responsibilities

Our responsibility is to express an opinion on the presentation of the Description and on the suitability of the design and
operating effectiveness of the controls described therein to meet the applicable trust services criteria, based on our
examination.

Page |2
A member firm of Ernst & Young Global Limited
Our examination was conducted in accordance with attestation standards established by the AICPA. Those standards require
that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the
Description is presented in accordance with the Description Criteria, and (2) the controls described therein are suitably
designed and operating effectively to provide reasonable assurance that the service organization’s service commitments and
system requirements would be achieved based on the applicable trust services criteria. The nature, timing, and extent of the
procedures selected depend on our judgment, including an assessment of the risk of material misstatement, whether due to
fraud or error. We believe that the evidence we have obtained is sufficient and appropriate to provide a reasonable basis for
our opinion.

An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness
of controls involves:
• obtaining an understanding of the system and the service organization’s service commitments and system
requirements
• performing procedures to obtain evidence about whether the controls stated in the Description are presented in
accordance with the Description Criteria
• performing procedures to obtain evidence about whether controls stated in the Description were suitably designed
to provide reasonable assurance that the service organization achieved its service commitments and system
requirements based on the applicable trust services criteria.
• assessing the risks that the Description is not presented in accordance with the Description Criteria and that the
controls were not suitably designed or operating effectively to meet the applicable trust services criteria.
• testing the operating effectiveness of those controls based on the applicable trust services criteria.
• evaluating the overall presentation of the Description.

Our examination also included performing such other procedures as we considered necessary in the circumstances.

Inherent limitations
Because of their nature, controls at a service organization may not always operate effectively to provide reasonable assurance
that the service organization’s service commitments and system requirements are achieved based on the applicable trust
services criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the Description, or
conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable trust services
criteria is subject to the risk that the system may change or that controls at a service organization may become ineffective.

Description of tests of controls

The specific controls we tested and the nature, timing, and results of those tests are listed in the accompanying SECTION IV -
DESCRIPTION OF CRITERIA, CONTROLS, TESTS AND RESULTS OF TESTS (Description of Tests and Results).

Opinion
In our opinion, in all material respects:

a. the Description presents the Aqua Security platform system that was designed and implemented throughout the
period December 1, 2019 to November 30, 2020 in accordance with the Description Criteria.

b. the controls stated in the Description were suitably designed to provide reasonable assurance that the service
commitments and system requirements would be achieved based on the applicable trust services criteria if the

Page |3
 controls operated effectively [and if the subservice organization[s] and user entities applied the controls assumed in
the design of Aqua Security Software Ltd.’s controls throughout the period December 1, 2019 to November 30, 2020.
c. the controls stated in the Description operated effectively to provide reasonable assurance that the service
commitments and system requirements were achieved based on the applicable trust services criteria throughout
the period December 1, 2019 to November 30, 2020.

Restricted use
This report, including the description of tests of controls and results thereof in the Description of Tests and Results, is intended
solely for the information and use of Aqua Security Software Ltd., user entities of Aqua Security Software Ltd.’s Aqua Security
platform system during some or all of the period December 1, 2019 to November 30, 2020 who have sufficient knowledge
and understanding of the following:

• The nature of the service provided by the service organization

• How the service organization’s system interacts with user entities, subservice organizations, or other parties.
• Internal control and its limitations
• User entity responsibilities and how they interact with related controls at the service organization
• The applicable trust services criteria
• The risks that may threaten the achievement of the service organization’s service commitments and system
requirements and how controls address those risks

This report is not intended to be, and should not be, used by anyone other than these specified parties.

Very truly yours,

January 1, 2021
Tel-Aviv, Israel

Page |4
SECTION III - DESCRIPTION OF THE AQUA CLOUD NATIVE SECURITY PLATFORM
RELEVANT TO SECURITY, AVAILABILITY AND CONFIDENTIALITY FOR THE PERIOD OF
DECEMBER 1, 2019 TO NOVEMBER 30, 2020

Company Overview and Background

Aqua Security enables enterprises to secure their cloud native applications from development to production, accelerating
container adoption and bridging the gap between DevOps and IT security. Aqua’s solutions provide visibility into cloud native
applications, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated
security; deliver visibility into cloud provider security configurations, allowing organizations to detect security risks in their
cloud environments and prevent misconfigurations from leading to compromise; helping to enforce policy and simplify
regulatory compliance.

Products and services

• Aqua CSP - Aqua’s comprehensive, purpose-built platform for securing container, serverless and VM, provides full
visibility and control over cloud native environments, with tight runtime security controls and intrusion prevention
capabilities, at any scale. The platform provides programmatic access to all its functions through an API.
• Aqua SaaS Offering - An extended, SaaS based platform, enabling enterprises to secure cloud native applications on-
prem and in the cloud, from development to production, and allowing users to audit their cloud environments
(Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Infrastructure) for security risks,
misconfigurations, and other potential issues that can lead to security or compliance incidents. The platform
provides programmatic access to all its functions through an API.
• Aqua Cyber Intelligence - Aqua’s threat intelligence service, used by the Aqua Cloud Native Security Platform product
to identify vulnerabilities and security issues in container images, serverless functions and Cloud VMs.

Purpose and Scope of the Report

The scope of this report is limited to the controls supporting the Aqua Security platform and does not extend to other available
Aqua Security, products and services or the controls at third-party service providers.

Note: Parenthetical references have been included in the following narrative as a cross-reference to the applicable control
procedures included in the Description of Criteria, Controls, Tests and Results of Tests section of this report.

Organizational Structure
Aqua Security organizational structure provides the overall framework for planning, directing and controlling operations. It
utilizes an approach whereby personnel and business functions are segregated into departments according to job
responsibilities, lines of reporting and communications, and allows employees to focus on the specific business issues
affecting their customers. An organization chart is documented and approved by Management. It clearly defines
Management authorities and reporting hierarchy (5). Below is description of key Aqua Security’s departments:
 Description of the Aqua Cloud Native Security Platform relevant to Security, Availability and
Confidentiality for the Period December 1, 2019 to November 30, 2020

Research and Development (R&D): Led by Chief Technical Officer, the R&D department is responsible for developing Aqua
Security products, product technology, management and research. This department includes the following teams:
• Development: The development team is responsible for developing the Aqua Security products and open-source
tools.
• QA: The QA team is responsible for testing and validating the R&D's deliverables according to pre-defined scenarios.
The QA personnel are integral part of R&D teams and are mentored by the Director of QA overseeing the entire QA
activities at Aqua Security.
• Product Management: The product team is responsible for defining the Aqua Security product lines and available
services - requirements and priorities. It includes, among others, analyzing market needs and incorporating client's
feedback into the products roadmaps.
• Research: The research team is responsible for advanced security research of cloud native applications – finding
security vulnerabilities, designing protective controls and generating detections and prevention mechanism.

Finance: Led by Chief Financial Officer, the Finance department is responsible for all the financial related topics in Aqua
Security.

Human Resource (HR): Led by Chief HR Officer, the human resources department is responsible to manage, create, implement
and supervise policies/regulations, which are mandatory for every employee and have knowledge of its appropriate
functioning.

Customer Success & SaaS Operations: Led by Chief Delivery Officer, the Customer Success department is responsible for end-
to-end delivery process and business services implemented within the production environment, including implementation,
support, availability and security of Aqua services. This department includes the following teams:
• Customer Success: The Support team is responsible for providing support to Aqua Security's customers. The support
team is working closely with R&D, QA and DevOps departments.
• DevOps: The DevOps team is responsible for deployment and operations of Aqua Security products:
o Deployment – works together with R&D during the go-to-live period to deploy the products according to
the customer's needs and Aqua Security's procedures
o Operations – operates the NOC that provides 24x7 control, monitoring and resolution in case of failure.
• Information Security: Led by Head of Information Security (CISO), the Information Security Team is responsible to
create, implement and maintain policies and controls. Effectively secure daily operations, technology, assets and
employees. Supervise and maintain company compliance.

Product Strategy: Led by VP of Strategy & Product Marketing, the department is responsible for product strategy, identifying,
building and managing partnerships with third party entities.

Corporate Marketing: Led by VP Corporate Marketing, the marketing department is responsible for building the company’s
image, generating sales opportunities, and other marketing activities.

Sales: Led by CRO, the sales department is composed of specialized and experienced sales personnel. It is responsible for
selling and optimizing sales to Aqua Security customers.

Page |7