Security at SafeStack

At SafeStack, we practice what we preach. We have an in-depth security program and we’re dedicated to continually improving it.

User information security

PII (Personally Identifiable Information)

We collect the following personally identifiable information for authentication and user identification purposes.

This information is stored securely and shared responsibly with third parties only on a need-to-know basis, to provide application functionality.

Full name
Email address
Company name
Credit card information (if applicable)
IP address

Authentication and authorization

SafeStack doesn’t store any password-related information.

We trust industry experts at Auth0 to store all authentication and authorization-related information for us. This means authentication itself is driven by our integration with Auth0.

Product access control

A small subset of SafeStack’s team has access to the products and to customer data via controlled interfaces.

The intent of this access is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents, and implement data security.

Encryption

All application data stored with SafeStack is encrypted at rest using the industry-standard AES-256 encryption algorithm on the database server(s).

In addition, all network communication uses a minimum TLS version 1.2 for encrypting data in transit.

Tenant-level isolation and role-based access control

The SafeStack platform was designed from the ground up to be a secure, multi-tenant, SaaS application. Platform design ensures there is a sufficient level of isolation between tenants, organizations within tenants, and groups within organizations.

Our role-based access control policies ensure that only users with specific roles are allowed to perform specific operations in the application. These roles and their corresponding allowed actions are well documented.

Change management

Peer code reviews: every pull request is reviewed by peers, whether it’s a new feature or a bug fix. Security reviews are performed as appropriate for the work.
Regular code audits for security.
Regular penetration testing.

Cloud security

SafeStack uses Amazon Web Services (AWS) as its cloud service provider and leverages AWS’ security and compliance controls for data center physical security and cloud infrastructure.

You can find further resources for this service provider on the AWS Security Cloud website.

Monitoring, alerting, and logging

Monitoring and alerting

The SafeStack platform is continuously monitored to detect performance trends, connectivity issues, downtime, availability, errors as well and many other operational matters.

Our engineering team is alerted about high-priority issues within seconds of them occurring, so they can be investigated as quickly as possible.

Logging

SafeStack uses a centralized log management solution to capture various application-level logs, including backend and browser logs.

Logging is used extensively for troubleshooting, alerting and support purposes. All application logs have a retention period of 15 days, at which point they’re automatically and permanently deleted.

All activity in our AWS environment(s), either automated or by SafeStack personnel, is logged using AWS CloudTrail for verification purposes.

Vulnerability management

External penetration testing

SafeStack regularly undergoes an external penetration test by an independent third party.

Vulnerability reporting

We appreciate any effort to find and coordinate the disclosure of security vulnerabilities. While we don’t currently have a bug bounty program or offer monetary rewards for vulnerability reports, we may provide swag or other acknowledgment or recognition in product updates.

If you’d like to report a vulnerability or you have security concerns about any SafeStack systems, please email security@safestack.io

Operational security

SafeStack employees are encouraged to follow security best practices when using various types of software required to run daily business operations.

Production account(s) access is sufficiently guarded with typical security best practices like complex passwords and multi-factor authentication.

Backups and disaster recovery

Frequent, continuous, automated backups

We back up all critical customer data automatically, continuously, and before any major releases. We also retain backups for many weeks and can perform point-in-time recovery. To ensure reliable and secure backups, we leverage the backup and restore features provided by AWS RDS.

Disaster recovery

We’re well versed with common disaster recovery scenarios and have plans in place to perform recovery drills for various types of disasters.

You can rely on our team’s collective experience to deal with disaster situations. In turn, we can rely on our well-established and constantly improving DevOps practices to keep downtime to a minimum and ensure our learners always have access to what they need in our platform.