Trust and Security

At Stratifyd, we believe in transparency regarding our security standards and practices and aim to protect against security breaches and provide data confidentiality, integrity, and availability. Our priority is to ensure Customers have the information needed to trust us with their data. Below is a summary of our security practices.

Personally Identifiable Information

The Customer is in full control over what data is uploaded to the Stratifyd Platform. Remember, in order to use Stratifyd's services, Customers do not need to submit data containing Personally Identifiable Information (PII). Because of this, Customer data must be redacted of PII prior to ingestion.

Redaction

Customers have the option to utilize Stratifyd’s Redaction Engine. The redaction engine is a part of the data ingestion pipeline that removes Personally Identifiable Information (PII), Payment Card Information(PCI), and other sensitive information from text.

Authentication
and Access

Stratifyd has an access control program in place and utilizes the principle of least privilege access across systems. System, vendor, and service accounts are disallowed for normal operations and monitored for usage. Virtual Private Network (VPN) is used when accessing company resources.

Logging
and Monitoring

Event logs recording user activities, exceptions, faults, and information security events are produced, retained, protected, and regularly reviewed by the Trust and Security team. Application and network security incidents are recorded and managed. Firewall logs are monitored for signs of excessive port scanning. All systems are synchronized to a single reference time source. Application, database, and network access reviews are completed on a regular basis.

Vulnerability
Management

Internal and third-party systems are used to monitor the confidentiality, integrity, and availability of our platform. We conduct quarterly vulnerability scans, annual penetration tests, weekly web application scans, and ensure our development efforts follow industry-standard guidelines/best practices. If an incident occurs, a team of engineers is alerted immediately.

Data Storage and Transmission

Customer data is housed within AWS S3 buckets and AWS EBS Volumes and is encrypted at rest by default using 256-bit Advanced Encryption Standard. Customer data is encrypted using industry standard SSL/TLS1.2 while in transit between nodes maintained by Stratifyd and our web frontend. The platform is built to be data source agnostic and Stratifyd has a track record of connecting via SFTP, API, and direct database connection.

Data Erasure

Stratifyd supports secure deletion of individual data sets and/or all Customer Data upon request by the Customer during the term of the agreement and after the end of the term of the agreement. Stratifyd does not share data it processes on behalf of Customers with third parties. Customer data will be retained until contract termination.

Performance and Reliability

Stratifyd offers product uptime monitoring and status. To check out a live status please click here.

Backups
and Recovery

Stratifyd application and databases are hosted within AWS. Data within the applications as well as the applications themselves are replicated across multiple availability zones within an AWS region. Stratifyd utilizes the Atlas’s Cloud Provider Snapshot functionality provided for MongoDB hosted on Amazon Web Services. Cloud Provider Snapshots on AWS have built-in incremental backup functionality and are taken daily.

Compliance and Audit Reports

Stratifyd undergoes compliance audits on an annual basis to demonstrate compliance to laws, regulations, and standards. Additionally, an annual risk assessment is performed, which includes a review of relevant privacy laws and the identification/assessment of risks to data privacy. Moreover, management establishes company objectives consistent with laws and regulations.

Stratifyd is SOC 2 Type 2 and PCI DSS compliant. For more information and a copy of our latest audit reports please contact us at Privacy@stratifyd.com.

Stratifyd is compliant with GDPR and CCPA requirements. Currently Stratifyd does not participate in the Privacy Shield Program. Please note that with the invalidation of the Privacy Shield Framework on July 16, 2020, Stratifyd has decided to withdraw from the EU-U.S. Privacy Shield Framework.

Nevertheless, Stratifyd will continue to apply the Privacy Shield Principles to personal data that it had received in reliance upon Privacy Shield and affirm to the Department of Commerce on an annual basis its commitment to apply the Principles to such data. Furthermore, Stratifyd is committed to the use of Standard Contractual Clauses (SCCs). For more information please visit our Privacy Policy.