Information and Data Security Statement
Thank you for trusting Stamped with your company's data. We take this responsibility very seriously and make every effort to be transparent and careful when handling this data on your behalf.
Stamped uses industry-standard technologies and services to secure your data from unauthorized access, disclosure, inappropriate use, and loss of access. We ensure all subcontractor security policies are documented and up to date with industry compliance standards (PCI, GDPR, etc.).
Security at Stamped is overseen by the Chief Technical Officer and implemented by the entire team.
Vulnerability Disclosure
To report a security vulnerability, please contact security@stamped.ai with a proof of concept, a list of tools used, and tool output.
In the event of a security disclosure, Stamped works quickly to reproduce each vulnerability to verify its status before taking the necessary steps to remediate.
Compliance and Certification
PCI DSS
Stamped's payment and card information are handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider.
GDPR
Stamped treats all data as bound by the General Data Protection Regulation. Anyone wishing to submit a personal data request can email privacy@stamped.ai.
PIPEDA
Stamped complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). To contact the Data Protection Officer, email privacy@stamped.ai.
Infrastructure and Network Security
Servers
Stamped's infrastructure is hosted on Salesforce Heroku. Data centers benefit from 24/7/365 physical security. Security controls include:
- 24/7 physical security guard services
- Physical access restrictions to property and facilities
- Full CCTV coverage inside and outside
- Biometric readers with two-factor authentication
- Battery and generator backup
- Generator fuel carrier redundancy
- Secure loading zones for equipment delivery
All servers run Linux. Stamped uses a combination of automated and manual inspection to determine if new vulnerabilities are introduced in software packages.
Logical Access Control
Only authorized Infrastructure Team members can access infrastructure configuration. All access requires mandatory two-factor authentication. Authorization levels follow the principle of least privilege.
Third-Party Audit
Heroku data center operations are accredited under: PCI DSS Level 1, HIPAA, ISO 27001, ISO 27017, ISO 27018, EU-U.S. and Swiss-U.S. Privacy Shield Certification, SOC 1 Type 2, SOC 2 Type 2, and SOC 3.
Business Continuity and Disaster Recovery
High Availability
Every part of the Stamped service uses redundant servers (load balancers, web servers, replicated databases). All deployments are zero-downtime with rolling deployment and rollback on errors.
Backups
Stamped maintains continuous production database backups, allowing restoration at any point within the last 24 hours.
Disaster Recovery
Stamped stores all infrastructure as code and can quickly create full copies of production and staging environments.
Data Security and Privacy
Data Encryption
Sensitive data is automatically encrypted at rest using AES-256 encryption. The master encryption key is stored in AWS Key Management Service. Stamped only sends data via TLS 1.2 or greater.
Data Removal
Data may be retained after service termination per master customer contract specifications. Stamped scrubs all personally identifiable information (PII) from client data when sending to third-party integrations.
Application Security
Stamped practices continuous delivery with mandatory pull request reviews, continuous integration, automated security scanning via Snyk, and weekly dependency updates via Dependabot.
Corporate Security
Background Checks
Stamped performs mandatory background and reference checks for all employees.
Security Training
Stamped enforces a mandatory annual security training program covering the OWASP Top 10.
Breach Notification
Customers shall be notified within 72 hours of a data breach, where feasible, consistent with GDPR requirements.