Information and Data Security Statement

Last updated: May 26, 2026

Thank you for trusting Stamped with your firm's data. We take this responsibility very seriously and aim to be transparent about the technical and organizational measures we put in place to protect your data.

Security at Stamped is overseen by the technical leadership and implemented by the whole team. Our practices are designed to align with Québec's Law 25, Canada's PIPEDA, and the GDPR where applicable.

Vulnerability Disclosure

To report a vulnerability, email engineering@stamped.ai with a proof of concept, a list of the tools used, and the resulting output. We work quickly to reproduce each reported vulnerability to confirm its status before remediating. Stamped will not pursue security researchers acting in good faith under responsible-disclosure practices.

Compliance and Frameworks

Law 25 (Québec) and PIPEDA (Canada)

Stamped operates from Québec and complies with the Act to modernize legislative provisions as regards the protection of personal information ("Law 25") and the Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1). We carry out Privacy Impact Assessments before any transfer outside Québec, maintain a register of confidentiality incidents, and have designated a person responsible for the protection of personal information (engineering@stamped.ai). We also comply with PIPEDA at the federal level.

GDPR

Stamped processes personal information in line with the principles of the General Data Protection Regulation where it applies. Data-subject requests can be sent to engineering@stamped.ai.

PCI DSS (via Stripe)

Payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider. Stamped does not store full payment-card numbers or security codes on its infrastructure.

ISO/IEC 27001

Stamped's security program is aligned with the ISO/IEC 27001 control set. Stamped does not currently hold an ISO 27001 or SOC 2 certification. We also rely on infrastructure providers (Google Cloud Platform, Cloudflare) that maintain these certifications for their own environments.

Hosting and Data Residency

Our infrastructure is hosted on Google Cloud Platform in Canada (Montréal — northamerica-northeast1). The main components:

  • Cloud Run — application execution (web tier 2–6 instances, worker tier 2–4 instances) with automatic scaling;
  • Cloud SQL for PostgreSQL — primary database, read replica, and a dedicated replication database for audit-log ingestion;
  • Cloud Memorystore (Redis) — two separate instances (Sidekiq HA queue and Rails cache), with authentication and in-transit encryption enabled;
  • Cloudflare in front of the Google Cloud load balancer with Cloud Armor for WAF rules — DNS is also managed at Cloudflare;
  • Cloud Logging and Sentry for application logging and error monitoring;
  • AWS S3 via ActiveStorage for user-uploaded attachments.

The entire infrastructure is defined and versioned as code with Terraform; every change goes through peer review before being applied.

Multi-Tenant Isolation

Each customer firm is isolated in its own PostgreSQL schema using the Apartment gem. This database-level segmentation prevents one firm's data from being exposed to another, even in the case of an application bug. Data stored in S3 is prefixed by tenant identifier and subject to the corresponding access policies.

Encryption

In transit

All traffic to the platform is served over HTTPS only. We enforce force_ssl in the application and the Strict-Transport-Security header (HSTS) with includeSubDomains and preload for one year. Internal traffic between Cloud Run, Cloud SQL, and Memorystore is encrypted in transit.

At rest

At-rest encryption is applied by default across Google Cloud storage (AES-256). Particularly sensitive fields — email address, secrets, OAuth tokens — are also encrypted at the application layer using the Lockbox library, with a blind index on email to allow searches without decryption. The Rails master key is held outside the repository and is required at startup (config.require_master_key = true).

Authentication and Access Control

User authentication is built on Devise and OmniAuth, with:

  • magic-link sign-in with short expiry windows;
  • mandatory email confirmation;
  • password strength enforcement via devise_zxcvbn;
  • OAuth tokens and magic-link digests encrypted at rest via Lockbox.

Application authorization uses ActionPolicy and Rolify, following the principle of least privilege. Access to the admin console and production tooling is restricted, logged, and multi-factor-authenticated.

Rate Limiting and Abuse Protection

Rack::Attack enforces the following application-level limits:

  • a general cap of 300 requests per minute per IP;
  • 20 login attempts per hour per IP;
  • magic-link throttles to prevent enumeration and abuse.

Above this layer, Cloudflare and Cloud Armor filter traffic at the network edge, mitigate Distributed Denial-of-Service (DDoS) attacks, and block known attack patterns.

Security Headers and Web Defences

  • strict, nonce-based Content Security Policy (CSP) with no inline scripts and violation reports sent to a dedicated endpoint;
  • per-form CSRF tokens on every state-changing request;
  • Google reCAPTCHA on public forms for bot protection.

Logging and Audit

Stamped uses the audited gem to log changes to user and identity records (secrets are excluded from the logs). Production console access is recorded and reviewed using console1984 and audits1984. A dedicated replication database receives the audit stream so that logs can be retained and queried independently of the production database. Application and infrastructure logs are centralized in Cloud Logging.

Business Continuity and Disaster Recovery

High availability

Cloud Run scales the web and worker tiers automatically. The database is replicated and the read replica is available for read-only queries. Deployments are zero-downtime with automatic rollback on errors.

Backups

Cloud SQL runs automated daily backups and retains the logs required for Point-In-Time Recovery (PITR) in the same region. Retention settings are managed in Terraform.

Recovery plan

Because the infrastructure is fully described in Terraform, we can rebuild full environment copies from source code and backups. Our recovery plan is reviewed periodically.

Secure Development Lifecycle

Stamped practises continuous integration and delivery with mandatory peer pull-request reviews, automated dependency security scanning, automated tests, and progressive deployments. Secrets are never stored in clear text in the repository; they are managed through Google Cloud secret-management services.

Organizational Security

  • Pre-employment checks — background and reference checks for new employees;
  • Mandatory annual training covering the OWASP Top 10 and privacy awareness;
  • Workstation security — full-disk encryption, multi-factor authentication, centrally managed devices.

Incident Notification

In the event of a confidentiality incident presenting a risk of serious injury, Stamped will promptly notify Québec's Commission d'accès à l'information and the affected individuals, in accordance with section 3.5 of the Act respecting the protection of personal information in the private sector. Where the GDPR applies, we will notify the competent supervisory authority within 72 hours. We maintain a register of incidents that we make available to authorities on request.

Contact

For any security or privacy-related question, email engineering@stamped.ai.