Security Commitments


As an organization dedicated to protecting and securing our customers’ applications, Synopsys is equally committed to our customers’ data security and privacy. This statement is meant to provide Synopsys’ customers and prospects with the latest information about our systems, compliance certifications, processes, and other security-related activities.

Information Security Policy

Synopsys has defined and published a set of information security policies which is:

  • Based on ISO 27001, ISO 27002, NIST SP 800-53, NIST SP 800-171, and NIST CSF
  • Approved by management
  • Communicated to all employees and relevant external parties
  • Reviewed annually by stakeholders

Product Security Assessments

Synopsys regularly performs a variety of security assessments on both the application level as well as the environments that host our applications. These include:

  • Product-on-product (PoP) testing—each release of a product is scanned for security vulnerabilities.
  • In-depth internal security assessments—for major new features, we include a combination of penetration tests, code reviews, and architectural risk assessments.
  • Threat modeling—for major new releases, Synopsys creates and/or updates threat models that provide a baseline for other security testing activities.

Security for Software as a Service

  • Our SaaS offerings utilize industry leading cloud service providers, known for their security and protections; and must meet or exceed a set of rigorous security assessments, and security control requirements at Synopsys.
  • In addition to the security provided by our cloud service provider (CSP), Synopsys uses real-time monitoring tools for cloud configuration and container integrity, a web application firewall, and other security controls.

Privacy

Please see our Privacy at Synopsys page here containing our Data Privacy and Protection Statement and our Website Privacy Policy.

Incident Management

  • Synopsys has established policy, process, and procedure to ensure a quick, effective, and orderly response to information security incidents.
  • The Information Security Incident Management Standard and Incident Response Plan are reviewed, tested, and updated (as appropriate) at a minimum, annually.
  • Synopsys will notify customers consistent with the Data Privacy and Protection Statement referenced by our Privacy Policy.

Network Security

  • Synopsys has deployed IDS/IPS, WAFs, Firewalls, and related technologies to protect against external threats.
  • Network environments are physically and logically segregated; customer data are logically segregated.
  • Security alerts are monitored 24x7 by a dedicated security team with a 5-min SLA for initial triage of critical alerts.
  • Vulnerability scans are performed daily.

Encryption

  • All customer data are encrypted in transit and at rest. Beyond mass storage encryption sensitive data is also secured using application layer encryption.
  • All traffic is encrypted in transit by default via HTTPS/TLS (Transport Layer Security) 1.2 or better.
  • All persistent data are encrypted at rest in the CSPs using AES 256-bit encryption or better.

Availability, Backup, and Disaster Recovery

  • High availability is achieved using the native cloud orchestration capabilities of Azure.
  • If individual VM containers fail within a CSP availability zone, they will recover automatically due to the cloud-native architecture. If there is an outage for a complete CSP availability zone or region, there is a process that will create a new instance in a different availability zone or region.
  • In general, across all types of disaster situations, including failures beyond core infrastructure, Synopsys’ recovery time objective (RTO) is one (1) business day and the recovery point objective (RPO) is 24 hours.
  • Synopsys maintains a certification for Business Continuity Management System, ISO 22301:2019.

Access Management

  • Only the customer has access to their own data. If Synopsys employees need access to customer data for troubleshooting or support purposes, customer permission is required to grant access.
  • Multi-factor authentication (MFA) capability is provided to customers for accessing Synopsys applications.

Logging and Monitoring

  • User and system administrator activities are logged and:
  • Routed to a centralized SIEM for monitoring, analysis, and alerting
  • Protected from tampering
  • Retained for at least one year

Change Management

  • Changes to the organization, business processes, cloud infrastructure, and systems affecting information security are performed per a defined change management policy, process, and procedure.
  • All changes are logged via a ticketing system, and approvals are required and tracked. 
  • The technical review includes a risk assessment and all other technical aspects of the change. 

Compliance


ISO 22301 Business Continuity Management Certified

SOC 2 Type 1 / SOC 2 Type 2

Covering security, availability, and confidentiality

TISAX certification

Synopsys has completed a Trusted Information Security Assessment Exchange (TISAX) assessment. This standard provides the European automotive industry a consistent, standardized approach to information security systems.

Scope: EDA Level3 with Prototype - 2024 | S6NMKN
Scope: Information with High Protection, PikeTec - Europe – 2024 | SWH934 | AP9W24-1

ENX Portal
TISAX Assessment Result

Inquiries


Please contact securityassessment@synopsys.com for further inquiries regarding security at Synopsys.