Security

Last Updated January 15, 2024

Security Overview

At Stover, security is not an afterthought—it's built into every aspect of our platform. We understand that you're entrusting us with sensitive business data, and we take that responsibility seriously.

We implement industry-leading security practices and continuously invest in security infrastructure to protect your data and ensure the highest levels of confidentiality, integrity, and availability.

Data Protection

We employ multiple layers of security to protect your data at every stage:

Encryption

  • **Data in Transit:** All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure version of the TLS protocol.
  • **Data at Rest:** All sensitive data stored in our databases is encrypted using AES-256 encryption, the same standard used by banks and government agencies.
  • **Database Encryption:** Our databases use encryption at rest with industry-standard algorithms and key management practices.

Backups and Redundancy

  • Automated daily backups of all customer data
  • Backups are encrypted and stored in geographically distributed locations
  • Point-in-time recovery capabilities
  • Regular backup restoration testing to ensure data integrity

Access Controls

  • Role-based access control (RBAC) to ensure employees only have access to data they need
  • Multi-factor authentication (MFA) required for all employee accounts
  • Regular access reviews and audits
  • Principle of least privilege enforced across all systems

Infrastructure Security

Our infrastructure is built on industry-leading cloud providers with robust security measures:

Hosting and Infrastructure

  • Hosted on AWS (Amazon Web Services) with enterprise-grade security
  • Multi-region deployment for high availability and disaster recovery
  • DDoS protection and mitigation
  • Regular security audits and penetration testing
  • 99.9% uptime SLA

Monitoring and Logging

  • 24/7 security monitoring and alerting
  • Comprehensive logging of all system activities
  • Intrusion detection and prevention systems
  • Automated threat detection and response

Compliance and Certifications

We maintain compliance with industry standards and regulations:

Certifications

  • **SOC 2 Type II:** We undergo annual SOC 2 Type II audits to ensure our security controls meet the highest standards.
  • **GDPR Compliance:** We're fully compliant with the General Data Protection Regulation (GDPR) and help our customers meet their GDPR obligations.
  • **CCPA Compliance:** We comply with the California Consumer Privacy Act (CCPA) and support our customers' CCPA compliance efforts.

Data Processing Agreements

We offer Data Processing Agreements (DPAs) that comply with GDPR and other data protection regulations. Our DPAs clearly define how we process your data and our responsibilities as a data processor.

Incident Response

  • We have a comprehensive incident response plan to quickly identify, contain, and remediate security incidents:
  • **Detection:** Automated monitoring and alerting systems detect potential security incidents in real-time
  • **Response:** Our security team responds to incidents within defined SLAs
  • **Communication:** We notify affected customers promptly if their data may have been impacted
  • **Remediation:** We take immediate action to contain and remediate security incidents
  • **Post-Incident Review:** We conduct thorough post-incident reviews to prevent similar incidents in the future

Vulnerability Management

  • We maintain a proactive vulnerability management program:
  • Regular security assessments and penetration testing by third-party security firms
  • Bug bounty program for responsible disclosure of security vulnerabilities
  • Automated vulnerability scanning of our codebase and dependencies
  • Prompt patching of identified vulnerabilities
  • Security updates communicated to customers when necessary

Employee Security

  • Our employees are trained and equipped to maintain security:
  • Background checks for all employees
  • Security awareness training on an ongoing basis
  • Confidentiality agreements and security policies
  • Regular security training and updates
  • Secure development practices and code reviews

Your Security Responsibilities

  • While we handle the security of our platform, you also play an important role in keeping your account secure:
  • Use strong, unique passwords for your account
  • Enable multi-factor authentication (MFA) when available
  • Regularly review and update user access permissions
  • Keep your integration credentials secure
  • Report any suspicious activity immediately

Security Contact

  • If you discover a security vulnerability or have security concerns, please contact us immediately:
  • Email: security@stover.app
  • We take all security reports seriously and will respond promptly. For responsible disclosure of vulnerabilities, please include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested remediation (if applicable)
  • We appreciate your help in keeping Stover secure for everyone.