Information and Data Security Statement

Thank you for trusting Stamped with your company's data. We take this responsibility very seriously and make every effort to be transparent and careful when handling this data on your behalf. If you have specific questions or concerns, contact us at security@stamped.ai

Stamped uses industry standard technologies and services to secure your data from unauthorized access, disclosure, inappropriate use, and loss of access. We ensure that the security policies of all our sub processors are documented and up-to-date with industry compliance standards where required (PCI, GDPR, etc).

Security at Stamped is overseen by our Chief Technical Officer and carried out by our entire team.

Vulnerability Disclosure

If you would like to report a vulnerability, please contact security@stamped.ai with a proof of concept, list of tools used, and the output of the tools.

If a security disclosure is received, we will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to remedy.

Compliance and Certification

PCI DSS

Coming soon.

GDPR

Coming soon.

Infrastructure and Network Security

Servers

Stamped infrastructure is hosted on Heroku, which is built on Amazon Web Services (AWS). The AWS data centers are equipped with multiple levels of physical access barriers, that include:

  • Alarms
  • Outer Perimeter Fencing that is crash-rated for vehicles
  • Electronic Access Cards
  • Video Surveillance
  • Internal Trip-Lights

For more information on AWS Security features, you can refer to this whitepaper. Stamped employees do not have physical access to AWS data centers, servers, network equipment, or storage.

The AWS servers where we run our infrastructure are located in the US.

We are not able to provide the exact physical address of the data centre as both Heroku and Amazon have historically been quite reticent in publishing location information of their facilities for security reasons.

We currently run Ubuntu 18.04 on all our servers and use a combination of automated and manual inspection to determine if new vulnerabilities are introduced in the software packages on our systems. We use Snyk on a daily scanning routine to automatically alert to new security vulnerabilities. Our Infrastructure team ingests these alerts and prioritizes remediation according to our internal Security Vulnerability Identification documentation.

Logical Access Control

Stamped has full control over all its infrastructure on Heroku, and only authorized Infrastructure Team members at Stamped have access to configure infrastructure when needed in order to add new functionality, or respond to incidents. All access required for control of infrastructure has mandated two-factor (2FA) authentication. The levels of authorization for infrastructure components is mandated by the principle of least privilege.

Penetration Testing

Stamped undergoes grey box penetration testing conducted by an independent third-party agency on an annual basis. For grey box penetration testing, Stamped will provide the agency with an overview of application architecture and information about system endpoints.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities.

Third-Party Audit

Heroku's physical infrastructure is hosted and managed within Amazon's secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Business Continuity and Disaster Recovery

High Availability

Every part of the Stamped service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. All our deploys are zero-downtime deploys using Heroku Preboot, and we implement gradual rollout and rollback of services in the case of deployment errors.

Business Continuity

Stamped keeps continuous backups of our production databases using Heroku Postgres Continuous Protection. These backups are typically just a few seconds behind the operational system, allowing us to restore easily to any time in the last 24 hours in the case of data corruption or loss.

Disaster Recovery

Stamped stores all infrastructure as code and as such is able to bring up complete copies of production and staging environments quickly. In the event of a complete region-wide outage, the Stamped Infrastructure Team will bring up a duplicate environment in a different Heroku region.

Data Flow

Data through System

Data is sent from third-party integrations to the Stamped backend via TLS 1.2.

Stamped's latest SSL Labs Report can be found here.

Data out of System

Stamped maintains intelligent network firewall rules at the infrastructure level that limit the surface for data extraction. We scrutinize our partners and integrations to ensure that they comply with necessary security regulations (GDPR, PCI, etc), before transferring data for processing.

Data Security and Privacy

Data Encryption

Sensitive data in Stamped servers is automatically encrypted at rest using industry-standard AES-256 encryption. Stamped's master encryption key is stored in AWS Key Management Service.

Stamped only ever sends data over TLS 1.2 or greater, and never downgrades connections to insecure early TLS methods like SSLv3 or TLS 1.0.

Data Removal

Data may be retained after termination of service according to specification within our main customer contract. If data is kept after termination of service for machine learning training purposes Stamped will scrub all personally identifiable information (PII) from customer data. This includes, but is not limited to, usernames, emails, phone numbers, credit cards, IPs.

PII Scrubbing

Stamped scrubbs personal information when sending data to a third-party integration.

Application Security

Two-Factor Authentication

In addition to password login, two-factor authentication (2FA) provides an added layer of security to Stamped via a time-based one-time password algorithm (TOTP). We encourage 2FA as an important step towards securing data access from intruders.

Stamped supports 2FA for all user accounts. 2FA can be enabled for a user in the Profile section of the Stamped dashboard.

Audit Controls

In the settings page, we include an Activity section where dashboard Owners and Administrators can view the activity in their account. This is listed chronologically so you'll have insight into the organization's most recent activity.

Secure Application Development

Stamped practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in rapid sequence. A continuous delivery methodology, complemented by pull request reviews, continuous integration (CI), automated security scanning, and automated error tracking, significantly decreases the likelihood of a security issue and improves the mean response time to security vulnerabilities. Internally, Stamped enforces at least one authorized reviewer for all code changes, and deployments to our production environment are gated under condition that all code is reviewed.

Corporate Security

Background Checks

Stamped conducts a mandatory background check and reference check for all employees prior to joining our team.

Security Training

Stamped enforces a mandatory security training program for all new and existing Stamped developers that must be completed annually. This security training covers the OWASP Top 10 in specific programming languages that the developer uses.

Disclosure Policy

In the event of a data breach, Stamped defers to GDPR regulations, which maintains that customers shall be notified within 72 hours of a data breach, where feasible.

Stamped maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page.