Security Policy
🔒 Security is a shared responsibility. We protect the platform; you protect your account credentials and access.
1. Security Governance
1.1 Security Organization
- Security Lead: Responsible for overall security strategy and implementation
- Security Team: Reviews code, conducts testing, responds to incidents
- Engineering Team: Implements security features and patches
- Operations Team: Maintains secure infrastructure and monitoring
1.2 Security Policy Review
- Reviewed quarterly or when threats emerge
- Updated based on vulnerability assessments and best practices
- Communicated to all staff and contractors
- Enforced through access controls and auditing
1.3 Third-Party Audits
- Annual independent security audits
- Penetration testing performed by third-party firms
- Results reviewed and acted upon
- Audit reports available to Enterprise customers upon request
2. Data Security
2.1 Encryption in Transit
✓ HTTPS/TLS: All communication uses TLS 1.2 minimum (TLS 1.3 preferred) with Perfect Forward Secrecy enabled
API Authentication:
- All API requests authenticated via JWT bearer tokens or API keys
- Tokens signed with strong cryptographic algorithms
- Token expiration enforced; no perpetual tokens
2.2 Encryption at Rest
✓ Database Encryption: PostgreSQL data encrypted using AES-256 with Transparent Data Encryption (TDE)
- Backup encryption: AES-256 before transmission and storage
- File storage: All files encrypted at rest
- Password hashing: bcrypt (minimum cost factor 10) - never plaintext
- API keys: Hashed before storage
2.3 Key Management
- Encryption keys managed in secure vaults (Azure Key Vault or HashiCorp Vault)
- Keys never hardcoded in source code
- Separate key management from data storage
- Regular key rotation (minimum annually)
- Audit logs for all key access
3. Infrastructure Security
3.1 Network Security
- Firewalls and DDoS protection on all public endpoints
- Rate limiting to prevent abuse
- Web Application Firewall (WAF) protecting against common attacks
- Network segmentation and isolation of sensitive systems
- Intrusion Detection Systems (IDS) monitoring for threats
3.2 Access Controls
- Role-Based Access Control (RBAC) throughout the platform
- Multi-Factor Authentication (MFA) available and recommended
- Principle of least privilege for all access
- Regular access reviews and removal of unnecessary permissions
- Audit logs for all administrative access
3.3 Monitoring & Logging
- Continuous monitoring of platform health and security
- Real-time alerting for security events
- Comprehensive audit logging of all administrative actions
- Log retention: minimum 90 days, longer for sensitive events
- Secure log storage with encryption and access restrictions
4. Application Security
4.1 Development Practices
- Secure coding standards enforced in code review
- OWASP Top 10 vulnerabilities actively prevented
- Input validation and output encoding on all user inputs
- SQL injection protection via parameterized queries
- Cross-Site Scripting (XSS) prevention
4.2 Testing & Vulnerability Management
- Static Application Security Testing (SAST) on all code commits
- Dynamic Application Security Testing (DAST) on pre-release builds
- Regular vulnerability scanning of dependencies
- Prompt patching of identified vulnerabilities
- Annual penetration testing by third-party experts
5. Incident Response
5.1 Response Procedures
- Documented incident response plan
- On-call security team available 24/7
- Immediate response to confirmed breaches
- Customer notification within 24 hours of confirmed incident
- Post-incident analysis and improvement process
5.2 Business Continuity
- Redundant systems across multiple geographic locations
- Automated failover for critical services
- Regular disaster recovery testing
- Recovery Time Objective (RTO): < 4 hours
- Recovery Point Objective (RPO): < 1 hour
6. Data Protection
6.1 Your Responsibility
Protect your:
- Account login credentials
- API keys and tokens
- Multi-factor authentication methods
- Private SSH/VPN keys
6.2 Our Responsibility
- Secure infrastructure and platform
- Encryption and secure storage
- Regular security updates and patches
- Incident response and breach notification
- Compliance with applicable security standards
7. Compliance & Standards
We comply with industry standards and frameworks:
- ISO 27001 (Information Security Management)
- OWASP (Web Application Security)
- GDPR (Data Protection Regulation)
- SOC 2 Type II (System Organization Controls)
- HIPAA (if handling healthcare data)
8. Reporting Security Issues
Found a security vulnerability? Please report it responsibly to:
Email: security@stablestateit.com
Phone: 346-509-9418
Do NOT: Publicly disclose vulnerabilities until we've had time to respond
9. Contact & Questions
Security inquiries: security@stablestateit.com
Compliance questions: compliance@stablestateit.com
General support: contact@stablestateit.com