We take securing your data seriously. Here’s what we do to ensure that your private data stays private and our recommended best practices for protecting your data.


Compliance

Stitch has been certified compliant with the SOC 2 security, availability, and confidentiality principles by an independent auditor. The audit report can be requested by contacting Stitch Sales.

All payment information submitted through Stitch’s billing interface to pay for your subscription is handled in a PCI-compliant manner.

To inquire about replicating data subject to PCI requirements, reach out to our support team.

Stitch can replicate data in a HIPAA-compliant manner as part of an Enterprise plan.

To learn more replicating data subject to HIPAA compliance with Stitch, refer to the Operating Stitch in Compliance with HIPAA doc or contact the Stitch Sales team by using the contact form on the Stitch website.

Note: There are requirements outside of Stitch configuration that must be completed to ensure compliance. Reach out to Stitch Sales before replicating any sensitive data.

Stitch is in full compliance with the European Union’s Global Data Protection Regulation (GDPR).

The Stitch Terms of Use includes a Data Processing Addendum (DPA) that enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU. The Stitch Privacy Policy also includes specific GDPR requirements.

Stitch is certified under the US-EU and US-SWISS Privacy Shield Programs, meaning any EU or Swiss data transfer will be handled in accordance with the principles laid out in the Privacy Shield Framework.

For more information on Privacy Shield, check out the link above or this FAQ on the program.


Data processing

Yes. The Data pipeline region setting, defined when you create a Stitch account, controls the region where Stitch-hosted data centers process replicated data.

Refer to the Supported Data Pipeline Regions documentation for more info.

The Data pipeline region setting only affects the replication of data in your Stitch account, specifically extracting, preparing, and loading data into your destination.

All other processes and data, such as billing, reporting, and other metadata, are not affected by your account’s data pipeline region. Data and metadata related to these processes will be processed using Stitch’s North America region.

Refer to the Supported Data Pipeline Regions documentation for more info.


Encryption

All credentials used to access other systems (i.e., your database or a SaaS integration) are encrypted before we store them.

Your data is always encrypted in transit and at rest within the Stitch environment. We offer several ways to get data into Stitch using encryption. Refer to the Data encryption guide for more info.

SSL connections are available on all plans for the majority of integrations and destinations. Refer to the Data encryption guide for more info.

SSH connections are available on all plans for the majority of database integrations and some destinations. Refer to the Data encryption guide for more info.

Additional connection options such as VPNs or reverse SSH tunnels may be implemented as part of an Enterprise plan. Contact Stitch Sales for more info.

Refer to the Advanced connectivity section in the Data encryption guide for more info.


Data access

Before your data is loaded into your data warehouse, it passes through Stitch’s secure infrastructure. This is a closed network protected by multi-factor authentication and accessible only to qualified members of our engineering team. On rare occasions, our engineers may need to read or move the data while it is in our infrastructure to debug or resolve an operational issue.

When this happens, your data will never leave our infrastructure. All members of our team - not just our engineers - have signed non-disclosure agreements. We’re committed to ensuring your data remains private.

As for your data warehouse, we will never access it without your explicit permission. We’ll ask every time it’s required to troubleshoot an issue and we’ll be sure to notify you when we’re doing it. No one likes surprises, least of all when it comes to their private data.

The access we need to successfully pull your data from a SaaS integration depends entirely on the vendor’s API and permission structure. In some cases, we only need read-only access to pull all the data required - in others, we need what amounts to full access.

Regardless of the level of permissions we need for an integration, we will only ever read your data.


Protocols and recommendations

  • Our data centers are protected by electronic security, intrusion detection systems, and a 24/7/365 human staff.
  • Our operating systems and other software are kept up to date with the latest security patches.
  • Our network is protected by dedicated firewall services to prevent unauthorized access, and our systems regularly undergo automated vulnerability scans.

Those are just our internal measures. We also take great care to ensure your data is secure as it makes its way through Stitch and into your data warehouse.

New features undergo a security review by our team before release. In addition, security professionals conduct regular audits and penetration tests on our existing systems.

For your database data, we recommend using our SSH and SSL features to ensure your data stays secure and encrypted in transit. Additionally, we encourage you to require strong passwords for database users.

For your SaaS data, we recommend that you keep your API keys private and don’t share your login credentials - for Stitch or any other service - with anyone.


Security issues

If our team verifies a security vulnerability in our system, our first priority is to prevent its exploitation. After it’s contained, we do a thorough analysis to determine the scope of impact and notify affected users within 24 hours.

If you believe you’ve found a security vulnerability in Stitch, we encourage you to let us know right away by emailing security@stitchdata.com. We request that you do not publicly disclose the issue until we have a chance to address it. We won’t pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.

We will respond as quickly as we can and reward the confidential and non-destructive disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as bypassing our login process, injecting code into another user’s session, or acting on another user’s behalf) with some swag. Other issues may be rewarded at our discretion.

If your database(s) or SaaS account(s) have been hacked, we recommend that you:

  1. Immediately recycle any credentials used to access your system or service,
  2. Generate new credentials, and
  3. Update the credentials for the appropriate integration(s) in Stitch.

Our team can help you remediate any data issues that might have occurred as a result of the breach.



Questions? Feedback?

Did this article help? If you have questions or feedback, feel free to submit a pull request with your suggestions, open an issue on GitHub, or reach out to us.