Fabric Attestation

Publish Workload Requirements Attestation Checklist

We, the vendor, Striim Inc, confirm and attest to reviewing, meeting and complying with the requirements outlined in the Microsoft Fabric Workload Development Kit (WDK) specifically the Publish Workload Requirements located at https://learn.microsoft.com/en-us/fabric/workload-development-kit/publish-workload-requirements.

The following sections documents details, exceptions, or variances regarding the attestation of adherence to the Publish Workload Requirements.

Business Requirements:

1. Value To Customers: The workload provides the following value to customers –
   Striim’s SQL2Fabric-Mirroring is a fully managed, zero-code replication solution that seamlessly mirrors on-premises SQL Server data to Microsoft Fabric OneLake. Powered by Striim’s high-performance, secure and scalable cloud platform, this low cost and low latency service delivers on premise transactional data into Fabric for AI, BI, Analytics, Data Engineering, and Operational Reporting use cases.
2. Trial: We provide an easy and fast trial experience. The trial is available to the customer without waiting time (less than 5 seconds), and provides a free and easy way to explore the offered workload for a limited time in accordance with Microsoft guidelines for Trials¹
   [x] Yes
   [ ] No
   30 Day Free Trial. No limits.
3. Monetization: The workload is available on the marketplace for the customer to procure with or without a trial in accordance with the monetization guidelines²
   [x] Yes
   [ ] No
   https://azuremarketplace.microsoft.com/en-us/marketplace/apps/striim.sql2fabric-mirroring?tab=Overview

Technical Requirements:

1. Microsoft Entra Access: The workload(s) use Microsoft Entra authentication and authorization³.
   [x] No additional authentication and authorization mechanisms are used
   [ ] Additional authentication and authorization mechanisms are used for stored data In Fabric
2. One Lake: Workloads integrate with One Lake⁴ to store data in the standard formats supported by the Fabric platform so that other services can take advantage of it.
   [x] All data and metadata is stored in One Lake or Fabric Data Stores
   [ ] Not all data and metadata is store in One Lake or Fabric Data Stores
3. Microsoft Entra Conditional Access: Enterprise customers require centralized control and management of the identities and credentials used to access their resources and data and via Microsoft Entra to further secure their environment via conditional access⁵.
   [x] The service works in its entirety with even if customers enable this functionality
   [ ] The service works in with limitations if customers enable this functionality
   [ ] The service does not work Microsoft Entra Conditional Access
4. Admin REST API: Admin REST APIs are an integral part of Fabric admin and governance process. These APIs help Fabric admins in discovering workspaces and items, and enforcing governance such as performing access reviews, etc. Basic functionality is supported as part of the Workload Development Kit and doesn't need any work from Partners.
   [ ] Microsoft Fabric Admin API’s are being leveraged (/admin/*)
   [x] No Microsoft Fabric Admin API’s are being used
5. Customer Facing Monitoring & Diagnostic: Health and telemetry data needs to be stored for a minimum for 30 days including activity ID for customer support purposes, including Trials.
   [x] Minimum 30 days requirement is adhered to
   [ ] Vendor stores the data for __ additional days beyond the minimum requirement
6. B2B: The implementation of the workload is in line with Microsoft Fabric’s sharing strategy focused on allowing customers to collaborate with their business partners, customers, vendors, subsidiaries etc. It also means users from other tenants⁶ can potentially be granted access to items partners are creating.
   [ ] Cross tenant B2B collaboration supported
   [x] Workload Item Access only within the tenant
   
7. Business Continuity and disaster recovery: The vendor has a comprehensive Business Continuity and Disaster Recovery (BCDR) plans designed to tackle unplanned disasters and recovery steps.
   
   The BCDR Policy is available from https://trust.striim.com/
8. Performance: The Workload implementation takes measures to test and track performance of their Items
   [ ] Performance Metrics on workload performance are available via the monitoring hub
   [x] Workload additionally includes a separate monitoring UI to test and track performance
   [ ] Performance tracking is not currently available to the end user however vendor support personnel can monitor, test, track performance via their internal instrumentation and monitoring systems
9. Presence: To ensure that customer expectations independent of their home or capacity region are met, vendors need to align with fabric regions⁷ and clouds. Availability in certain restrictions also impacts your Data Residency commitments.
   [x] Service availability and colocation/alignment in the following fabric regions
   
   East US, East US 2, Central US, West US, West Europe, North Europe, UK South
   [ ] All or part of the service does not reside in Azure
10. Public APIs: Fabric Public APIs⁸ are the backbone of automation, enabling seamless communication and integration for both customers and partners within the Fabric ecosystem. Fabric Public API empowers users to build innovative solutions, enhance scalability, and streamline workflows.
    [x] The workload uses Fabric Public APIs

Design / UX Requirements:

1. Common UX: The workload and all item types the partner provides as part of it comply with the Fabric UX guidelines⁹.
   [x] Yes
   [ ] The following variance and/or exceptions have been granted by Microsoft
2. Item Creation Experience: The item creation experience is in accordance with the Fabric UX System¹⁰.
   [x] Yes
   [ ] No
3. Monitoring Hub¹¹: All Long running operations need to integrate with Fabric Monitoring Hub.
   [ ] Yes
   [x] No
4. Trial Experience: The workload provides a Trial Experience for users as outlined in the design guidelines¹²
   [x] Trial Supported
   [ ] Trial Not Supported
5. Monetization Experience: The monetization experience is in line with the design guidelines¹³ provided
   [x] The monetization experience is completely integrated with the market place and compliant with the guidelines
   [ ] Bring Your Own License (BYOL)
   [ ] Free / Freemium
   [ ] Other
6. Accessibility: The user experience is in compliance with the Fabric UX design guidelines for Accessibility¹⁴
   [x] The user experience is completely compliant with the guidelines
   [ ] The following limitations exist
7. World Readiness / Internationalization: English is supported as the default language. Localization through optional, should be considered.
   [x] English is the only supported language
   [ ] The following are the additional languages supported
8. Item Settings: Item settings are implemented as a part of the ribbon as outlined in the UX guidelines¹⁵
   [x] Yes
   [ ] No
9. Samples: Samples are optionally provided that preconfigure items of their type their type to help customers get started more easily.
   [ ] Samples not provided
   [x] Samples for pre-configuration of items provided
10. Custom Actions: Custom actions can be optionally provided as a part of the item editor.
    [x] Custom Actions are not implemented
    [ ] Custom Actions implemented as part of Workload
11. Workspace settings: Workspace settings provide a way that workloads can be configured on a workspace level.
    [ ] Supported
    [x] Not Supported
12. Global Search: Searching for items in Fabric is supported through the top search bar.
    [ ] Supported
    [x] Not supported

Security / Compliance Requirements:

1. Security general: Protection of customer data and metadata is of paramount importance¹⁶. Workloads must go through a security review and assessment. Vendor attests that the security review and assessment was completed and will be periodically performed as enhancements and changes are made. Security issues discovered which could have a detrimental impact on the customer should be addressed promptly and customers notified where applicable.
   Striim follows a Secure Software Development Lifecycle (SSDLC) and incorporates secure concepts and testing from design to delivery. The lifecycle incorporates Static and Dynamic Application Security Testing (SAST/DAST) and open source vulnerability management. SAST includes both Striim proprietary code and open source, while DAST includes OWASP Top 10 and PCI DSS testing. Software cannot be released unless there are zero critical or high exploitable vulnerabilities discovered through any of these methods. All vulnerabilities are triaged, and exploitability is defined as the vulnerability being accessible through a code path within the Striim products. While Striim typically does not release the underlying vulnerability and testing reports, the strength and attestation to this process can be found in the latest SOC 2 and PCI DSS reports.
2. Privacy: Partners that build workloads also have a responsibility to protect¹⁷ that data when they access it. Every workload goes through a privacy assessment and a privacy review. Vendor attests that privacy review was completed and is periodically performed as enhancements and changes are made.
   [x] Extra Requirements: Vendor attests that only essential HTTP-only cookies¹⁸ are used by the Workload and only after positively authenticating the user.
   The workload allows users to view and monitor the progress of their Striim data pipelines. These pipelines operate on Striim Cloud and are subject to the Striim Cloud Privacy Policy. For detailed information on the security and compliance practices of Striim Cloud, please refer to Striim Cloud Security.
   Additionally, the workload does not utilize cookies for storing client information.
3. Data Residency: Microsoft Fabric is making an Enterprise Promise around data not leaving the geography¹⁹ of the tenant for stored data and data in transit. As a workload in Fabric directly and users need to be aware what your commitments to Data Residency are. Define what your commitments are to the Data Residency of customer data.
   No data is stored within the Striim services being provided. Striim provides an in-memory data integration solution that moves data into Fabric without storing it in the Striim service, so Data Residency is not applicable.
4. Compliance: The publisher attests to the following security, data and compliance²⁰ regulations and standards
   The workload allows users to view and monitor the progress of their Striim data pipelines. These pipelines operate on Striim Cloud and are subject to the Striim Cloud Privacy Policy. For detailed information on the security and compliance practices of Striim Cloud, please refer to Striim Cloud Security.
   Striim is committed to ensuring Customers can trust our products and practices. We comply with GDPR and CCPA requirements, and customers can request the following compliance documents:
   

   • SOC 2 Type II
   • HIPAA Security Compliance Assessment Report
   • PCI-DSS 4.0 Service Provider ROC / AOC
   • UK Cyber Essentials

   These are available through https://trust.striim.com/

Support:

1. Live site: Partner workloads are an integral part of Fabric that require the Microsoft support teams need to be aware of how to contact you in case customers are reaching out to us directly.
   Microsoft direct vendor outreach:
   Contact Name/Team: Striim Cloud Product Support
   Email alias: cloud_support@striim.com
   Self Service portal: https://support.striim.com/
2. Supportability²¹: Vendors are responsible for defining and documenting their support parameters (Service level agreement, contact methods, ...). This information needs to be linked from the Workload page and should always be accessible to customers. In addition, the Marketplac²²e criteria, need to be taken into account for the listing of the SaaS offer.
   [x] Vendor attests that support information is published to the marketplace offering and available to user/customers directly via the workload
3. Service Health and Availability: Vendors need to host a service health dashboard that shows their service health and availability to customers. This information can be included on the Supportability page.
   Service health dashboard can be found here:
   Service health and availability status is visible to customers on their service landing page immediately after login.

Fabric Features:

1. Application Life Cycle Management (ALM): Microsoft Fabric's lifecycle²³ management tools enable efficient product development, continuous updates, fast releases, and ongoing feature enhancements.
   [ ] Supported
   [x] Not Supported
2. Private Links: In Fabric, you can configure and use an endpoint²⁴ that allows your organization to access Fabric privately.
   [ ] Supported
   [x] Not Supported
3. Data Hub: The OneLake data hub²⁵ makes it easy to find, explore, and use the Fabric data items in your organization that you have access to. It provides information about the items and entry points for working with them. If you're implementing a Data Item, show up in the Data Hub as well.
   [ ] Supported
   [x] Not Supported
4. Data Lineage: In modern business intelligence (BI) projects, understanding the flow of data from the data source to its destination can be a challenge. The challenge is even bigger if you built advanced analytical projects spanning multiple data sources, data items, and dependencies. Questions like "What happens if I change this data?" or "Why isn't this report up to date?" can be hard to answer.
   [ ] Supported
   [x] Not Supported
5. Sensitivity labels: Sensitivity labels²⁶ from Microsoft Purview Information Protection on items can guard your sensitive content against unauthorized data access and leakage. They're a key component in helping your organization meet its governance and compliance requirements. Labeling your data correctly with sensitivity labels ensures that only authorized people can access your data.
   Extra requirements:
   For partners that are using Export functionality within their Item they need to follow the guidelines.
   [ ] Supported
   [x] Not Supported

Additional Notes

Please use this section to provide any further explanations, references, or notes that may be relevant to your attestation:

References

https://www.striim.com/striim-cloud-security/
https://trust.striim.com/