Security Policy and Practices

Encryption of personal data

All data sent to or from Stampli is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only. This means we only use strong cipher suites. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
More sensitive data fields (such as external system tokens, bank accounts, Social Security numbers) are further encrypted using AES-256 with a separate private key.

All passwords are hashed with unique per-user salts.

The ongoing processes to ensure confidentiality, integrity, availability and resilience of systems and services

Stampli has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees. All employees complete Security and Awareness training annually. All employee contracts include a confidentiality agreement.

Web Application and network firewalls: Stampli monitors potential attacks with several tools, including a web application firewall and network-level firewalling. In addition, we use AWS’s Distributed Denial of Service (DDoS) prevention defenses to help protect our application and access to it.

Software development lifecycle (SDLC) Security: Stampli uses and maintains an SDLC policy and implements static code analysis tools and human review processes to ensure consistent quality in our software development practices. Stampli’s SDLC also identifies and addresses missing patches within the product infrastructure and our instrumentation ensures software packages use the appropriate versions.

Security incident response: Stampli’s security incident processes are pre-defined during recurring preparation activities and exercises and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time.

Vulnerability assessment: Stampli tests for potential vulnerabilities on a recurring basis. We run static code analysis, code reviews and infrastructure vulnerability scans. We leverage 3rd party penetration testing firms at least annually to test our application and infrastructure.

Data Restore in case of disaster, physical or technical incident

Stampli was built with disaster recovery in mind. Our databases are stored on AWS (eu-west-1) in Ireland and our infrastructure and data are spread across AWS availability zones and will continue to work should any one of those data centers fail. In addition, we create daily backups for our databases and periodically test the restore mechanism.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

As part of this processes all system components are tested and evaluated at different level of integration before deployment to Stampli system.  This test includes functional test and security test. Authorization from the Network Administrator or supervisor must be acquired before any new equipment or software is deployed.

Stampli initiates change management processes when deficiencies in the design, operating or security effectiveness of controls are identified during system test, operation and monitoring.  Stampli’s Network Administrator reviews and approves all change requests and oversees the change management processes.

Users’ identification and authorization

Users’ identification is done using strong passwords. Attempts to log in with incorrect usernames or passwords are rate-limited to greatly reduce the opportunity to brute-force. break into a User Account. Customers can also activate 2FA authentication or use SSO using SAML protocol through the customers SSO provider.

Physical security of locations at which personal data are processed

Stampli hosts all its software in Amazon Web Services (AWS) facilities in Ireland. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 1-3, and ISO 27001. See Amazon’s compliance and security documents for more detailed information. All Stampli servers are located within Stampli’s own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers. Stampli conducts third-party vulnerability scans at least annually.

Events logging

All events are logged to either a customer accessible audit log and/or an internal logs system, which retains logs for 3 months. Customer requests are logged into a ticketing system and maintained there.

Internal IT and IT security governance and managements

Stampli management directs its security governance in order to achieve a high standard of IT security and IT security management is making the decisions required to mitigate risks.

Stampli prepared a set of responsibilities and practices exercised by executive management with the goal of ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the company’s resources are used responsibly.

This consist of an organization-wide view of security risks integrating both physical security and IT security optimized IT infrastructure and better protection for the digital, physical, and human assets.

Stampli prepared a framework to ensure that risks are adequately mitigated, while management ensures that controls, systems and policies address every threat systematically and consistently.

This includes ongoing activities that involves the development, assessment, and improvement of risk management, employees training and coordination across organization’s employees, hardware, digital assets and policies. The ultimate aim, here, is to maintain effective cybersecurity and prevent the one thing any business dreads – a data breach.

In the event that a cybersecurity incident does occur, certain procedures are in place, and employees are briefed and trained on basic remedial measures in the event the unthinkable happens. We document these processes and procedures to ensure these resources are on-hand for easy reference and future training. 

Management periodically assesses internal security risks and document any irregularities or vulnerabilities.

Certification / assurance of processes and products

Stampli undergoes SOC 1, 2, and 3 certification and annual reviews. Stampli also is PCI DSS compliant (SAQ-D Attestation of Compliance). You can access our SOC 3 report here.

Data avoidance and minimization

Stampli observes the principles of data avoidance and data minimization. That means that Stampli will collect process and use the data that is required to provide its services.

Data quality

Stampli user’s data is entered via our customers administrators and/or their vendors directly. The customer can review and update this data at will. We also serve a data subject to request to update their data through our customer support.

Data retention

Stampli will retain and use your information in accordance with our internal retention, archiving and back-up regimens. We may retain certain Personal Information about you for as long as necessary for the purposes described in the Privacy Policy, which includes keeping contact information after you have cancelled your service with us for the period of time needed for us to pursue legitimate business requirements and interests, conduct audits, comply with and/or demonstrate our regulatory and legal obligations, resolve disputes and enforce our agreements.

Accountability

Stampli ensures a good level of understanding using an expert third party to review our application and system and provides training to improve awareness of data protection among staff. We implement comprehensive but proportionate policies and procedures; and keep records on all related matters.

Security Bounty

Please submit your bug or vulnerability assessment here (bugbounty@stampli.com).

Portability and data disposal

Stampli will allow data subjects to use their rights for data portability and data disposal through a dedicated email (privacy@stampli.com) and has implemented an internal policy and training for this purpose.