Thank you for trusting Stamped with your company's data. We take this responsibility very seriously and make every effort to be transparent and careful when handling this data on your behalf. If you have specific questions or concerns, contact us at security@stamped.ai
Stamped uses industry-standard technologies and services to secure your data from
unauthorized access, disclosure, inappropriate use, and loss of access. We ensure that the security policies of
all our sub-processors are documented and up-to-date with industry compliance standards where required (PCI,
GDPR, etc).
Security at Stamped is overseen by our Chief Technical Officer and carried out by our
entire team.
If you would like to report a vulnerability, please contact security@stamped.ai with a proof of concept, list of tools used, and
the output of the tools.
If a security disclosure is received, we will work quickly to reproduce
each vulnerability to verify its status before taking the steps needed to remedy.
Stamped's payment and card information are handled by Stripe, which has been
audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service
Provider.
In an effort to provide the best security for all our customers when it comes to
personal information, Stamped treats all data as if it is bound by GDPR regulation.
Any person
(including EU residents) wishing to submit a personal data request to Stamped may do so by sending an email
to privacy@stamped.ai explaining their data request.
Stamped is compliant with the Personal Information Protection and Electronic Documents
Act (PIPEDA). For information on the types of Personal Data Stamped stores and how we store it, please see
our Privacy Policy.
If you wish to contact our Data Protection Officer (DPO) for any concerns
around Personal Data collection or usage, they can be reached at privacy@stamped.ai.
Stamped infrastructure is hosted on Salesforce
Heroku.
The Heroku data centers are co-located in some of the most respected datacenter
facility providers in the world. They leverage all of the capabilities of these providers including physical
security and environmental controls to secure the infrastructure from physical threat or impact. Each site
is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls
provided by the datacenter facilities includes but is not limited to:
- 24/7 Physical security
guard services
- Physical entry restrictions to the property and the facility
- Physical entry
restrictions to Heroku’s co-located datacenter within thefacility
- Full CCTV coverage externally and
internally for the facility
- Biometric readers with two-factor authentication
- Facilities are
unmarked as to not draw attention from the outside
- Battery and generator backup
- Generator fuel
carrier redundancy
- Secure loading zones for delivery of equipment
For more information on
Heroku Security features, you can refer to this page Compliance Center. Stamped employees do not have
physical access to Heroku data centers, servers, network equipment, or storage.
The Heroku
servers where we run our infrastructure are located in United States of America.
We are not able
to provide the exact physical address of the datacenters as Heroku have historically been quite reticent in
publishing location information of their facilities for security reasons.
We currently run Linux
on all our servers and use a combination of automated and manual inspection to determine if new
vulnerabilities are introduced in the software packages on our systems. Our Infrastructure team ingests
these alerts and prioritizes remediation according to our internal Security Vulnerability Identification
documentation.
Stamped has full control over all its infrastructure on Heroku, and only authorized
Infrastructure Team members at Stamped have access to configure infrastructure when needed in order to add
new functionality or respond to incidents. All access required for control of infrastructure has mandated
two-factor (2FA) authentication. The levels of authorization for infrastructure components are mandated by
the principle of least privilege.
Heroku undergoes third-party independent audits and can provide verification of
compliance controls for its infrastructure. Heroku data center operations have been accredited
under:
- PCI DSS Level 1
- HIPAA
- ISO27001, ISO 27017 and ISO 27018
- EU-U.S.
and Swiss
-U.S. Privacy Shield Certification
- SOC 1 Type 2, SOC 2 Type 2 and SOC3
For
more information on Heroku compliance practices, you can refer to this page Compliance Center.
Every part of the Stamped service uses properly-provisioned, redundant servers (e.g.,
multiple load balancers, web servers, replica databases) in the case of failure. All our deploys are
zero-downtime deploys, and we implement gradual rollout and rollback of services in the case of deployment
errors.
Stamped keeps continuous backups of our production databases. These backups are
typically just a few hours behind the operational system, allowing us to restore easily to any time in the
last 24 hours in the case of data corruption or loss.
Stamped stores all infrastructure as code and as such is able to bring up complete
copies of production and staging environments quickly. In the event of a complete region-wide outage, the
Stamped Infrastructure Team will bring up a duplicate environment in a different DigitalOcean region.
Data is sent from third-party integrations to the Stamped backend via TLS
1.2.
Stamped's latest SSL Labs Report can be found here.
Stamped maintains intelligent network firewall rules at the infrastructure level that
limit the surface for data extraction. We scrutinize our partners and integrations to ensure that they
comply with necessary security regulations (GDPR, PCI, etc), before transferring data for processing.
Sensitive data in Stamped servers is automatically encrypted at rest using
industry-standard AES-256 encryption. Stamped's master encryption key is stored in AWS Key Management
Service.
Stamped only ever sends data over TLS 1.2 or greater, and never downgrades connections
to insecure early TLS methods like SSLv3 or TLS 1.0.
Data may be retained after termination of service according to specification within
our main customer contract. If data is kept after termination of service for machine learning training
purposes Stamped will scrub all personally identifiable information (PII) from customer data. This includes,
but is not limited to, usernames, emails, phone numbers, credit cards, IPs.
Stamped scrubs personal information when sending data to a third-party
integration.
In the settings page, we include an Activity section where dashboard Owners and
Administrators can view the activity in their account. This is listed chronologically so you'll have
insight into the organization's most recent activity.
Stamped practices continuous delivery, which means all code changes are committed,
tested, shipped, and iterated on in rapid sequence. A continuous delivery methodology, complemented by pull
request reviews, continuous integration (CI), automated security scanning, and automated error tracking,
significantly decreases the likelihood of a security issue and improves the mean response time to security
vulnerabilities. Internally, Stamped enforces at least one authorized reviewer for all code changes, and
deployments to our production environment are gated under the condition that all code is
reviewed.
We use Snyk on a daily scanning routine to automatically
alert to new security vulnerabilities. We use Dependabot weekly to
automate dependency updates and keep dependencies secure.
Stamped conducts a mandatory background check and reference check for all employees
prior to joining our team.
Stamped enforces a mandatory security training program for all new and existing
Stamped developers that must be completed annually. This security training covers the OWASP Top 10 in specific
programming languages that the developer uses.
In the event of a data breach, Stamped defers to GDPR regulations, which maintains
that customers shall be notified within 72 hours of a data breach, where feasible.
Stamped
maintains a live report of operational uptime and issues on our status
page. Anyone can subscribe to updates via email from the status page.
