Security at Stemble
At Stemble we prioritize the security and privacy of our users, ensuring our platform is secure, reliable, and resilient against various threats. This document outlines the key security measures and practices we employ.
Physical Security
Stemble’s customer data is hosted in AWS. You can find detailed information regarding their physical security controls here. Stemble employees do not have access to the data centers or servers where its infrastructure is hosted.
Stemble’s office remains locked at all times and employees are issued individual keys.
Network Security
We utilize AWS VPC to isolate our network environment. Subnets, security groups, and network access control lists (ACLs) are configured to restrict access to sensitive resources. We strive to limit the ports open to what is required. Web traffic to our site is routed through Application Load Balancers which only expose ports 443 and 80. All HTTP traffic is redirected to HTTPS. A Web Application Firewall is applied to these load balancers to mitigate against DDOS attacks. Bastion servers allowing Secure Shell Access to our network environment are restricted to known keys and IP addresses.
Access to our network and firewall configuration is restricted to Stemble’s IT Operations team. Multi-factor Authentication is required for all employees with cloud provider access.
Third Parties
Stemble does make use of third parties to assist with processing and hosting of its data. Each Third Party’s policies are evaluated by our management team to ensure they align with Stemble’s mandate to protect its user’s data prior to their use, and changes to Third Party’s policies are periodically reviewed to ensure continued compliance. Third Parties used by Stemble are disclosed in our Privacy Policy.
Disaster Recovery and Business Continuity
Stemble has disaster recovery and business continuity plans that are reviewed and revised annually. We use services provided by our hosting provider to distribute our production operations across four separate physical locations, and to provide redundant power and network connectivity. Stemble also stores backups in a separate location more than 1000 kilometers from our primary operating environment.
Data Minimization
We collect only the necessary data required to provide and improve our services. Personal data is handled with the utmost care and in accordance with relevant privacy laws and regulations. We send Third Parties the minimal amount of data required to perform their role as it relates to processing. This is governed by our Privacy Policy.
Data Protection
Stemble ensures data is encrypted in transit and at rest.
All data transmitted between our users and servers is encrypted using TLS 1.2+ to protect against interception and eavesdropping.
All customer data is stored in AWS with encryption at rest enabled. Data backups are also encrypted this way.
Data Backups
Databases are backed up constantly, with incremental backups. Full snapshots are taken twice daily. The full database snapshots are exported to an external account twice daily, and encrypted. This external account is limited to a very minimal number of highly trusted employees within the Stemble Organization, and is protected with MFA.
We also back any drives containing data used for logging and auditing, and export these encrypted drives to our external backups account twice daily.
S3 buckets containing uploaded files and other object data are also replicated to the same external account, constantly.
Stemble executes a data “fire drill” at least annually to ensure data can be decrypted, restored from backup and is both accessible and usable.
Access Controls
Stemble implements the principle of least privilege and ensures access to sensitive information is restricted based on job roles and responsibilities.
Role-based access controls (RBAC) are enforced in our systems for all users and MFA is required when possible. Systems that do not support MFA are configured to ensure strong passwords are required.
Access is swiftly revoked to all internal systems when an employee is no longer with the organization.
Logging, Auditing and Monitoring
All requests to Stemble systems are logged. Access to these logs is restricted to Stemble’s IT Operations team.
Stemble’s IT Operations team maintains a number of logging, monitoring, and alerting tools to ensure issues can be quickly identified, prioritized, traced, and resolved.
Secure Development Practices
All code changes are submitted through a formal peer review process before they are accepted and deployed.
Stemble uses automated scanning of its code and dependencies for issues, which are reviewed at least weekly through our internal triage process. Vulnerabilities are brought to the attention of the appropriate team to be addressed.
Stemble’s development teams meet weekly for group learning sessions. Topics include review of common security vulnerabilities, best practices for secure programming, accessibility best practices, and best practices for password and account management.
All access to our source control repositories requires MFA.
Responsible Disclosure Policy
While Stemble does not offer rewards for a Bug Bounty, we do implement a Responsible Disclosure Policy. If you believe you have found a security vulnerability across the Stemble platform or have any questions related to Stemble’s Security, please contact our IT Operations team at security@stemble.com. Your request will be reviewed promptly.
Updates to this Document
This document reflects our ongoing commitment to security and data privacy. It will be updated periodically to address new challenges and incorporate the latest security advancements.