Security Policy
Last Updated: December 6, 2025
1. Security Overview
StableState prioritizes the security and confidentiality of client data. We implement comprehensive security measures across infrastructure, application, and operational levels.
Commitment: We maintain enterprise-grade security practices and continuously audit our systems for vulnerabilities.
2. Infrastructure Security
2.1 Cloud Infrastructure (Azure)
All systems are hosted on Microsoft Azure, providing:
- Physical Security: Microsoft-managed data centers with 24/7 surveillance
- Network Isolation: Virtual networks with strict firewall rules
- DDoS Protection: Azure DDoS Standard protection
- Compliance: SOC 2 Type II, ISO 27001, FedRAMP
2.2 Encryption
- In Transit: TLS 1.3 for all data transmission
- At Rest: AES-256 encryption for stored data
- Key Management: Azure Key Vault for secure credential storage
- HTTPS Only: All endpoints enforce HTTPS
3. Application Security
3.1 API Security
- Authentication: API key and OAuth 2.0 authentication
- Authorization: Role-based access control (RBAC)
- Rate Limiting: Request throttling to prevent abuse
- Input Validation: Strict validation of all inputs
3.2 Code Security
- Dependency Management: Regular updates and vulnerability scanning
- Code Review: Security review of all production code
- Static Analysis: Automated security scanning in CI/CD
- No Hardcoded Secrets: All credentials in secure vaults
4. Data Protection
4.1 Data Handling
- Least Privilege: Access granted only as needed
- Data Classification: Clear classification of sensitive data
- Secure Deletion: Cryptographic erasure for deleted data
- Backup Security: Encrypted backups with restricted access
4.2 Client Data Confidentiality
- Your monitoring data is never shared with other clients
- Your data is never sold or commercialized
- Your data is deleted upon request or contract termination
- Multi-tenant isolation ensures complete data separation
5. Access Control
5.1 Employee Access
- Background Checks: Verified for all staff members
- NDA Agreements: All employees sign confidentiality agreements
- Least Privilege: Access limited to necessary systems only
- Activity Logging: All access attempts logged and monitored
5.2 Multi-Factor Authentication
- MFA required for all administrative access
- MFA available for all customer accounts
- Hardware security key support available
6. Incident Response
6.1 Breach Response
In the event of a suspected data breach:
- Detection: Real-time monitoring and alerts
- Investigation: Immediate forensic analysis
- Notification: Affected parties notified within 24 hours
- Remediation: Immediate corrective actions
6.2 Security Contact
Report security concerns to: contact@stablestateit.com
7. Vulnerability Management
- Vulnerability Scanning: Regular automated scanning
- Penetration Testing: Annual third-party tests
- Patch Management: Critical patches within 48 hours
- Bug Bounty: Responsible disclosure program
8. Compliance
We maintain compliance with:
- SOC 2 Type II: Service organization controls (via Azure)
- ISO 27001: Information security management
- GDPR: EU data protection requirements
- CCPA: California privacy requirements
- HIPAA-Ready: Healthcare data standards available
9. Customer Responsibilities
Security is a shared responsibility. Customers must:
- Keep API keys and credentials confidential
- Rotate credentials regularly
- Use strong passwords and enable MFA
- Report suspected security issues immediately
- Comply with applicable data protection laws
10. Contact Information
- Email: contact@stablestateit.com
- Response Time: Critical issues within 4 hours
- Confidentiality: Responsible disclosure honored