We offer several ways to get data into Stitch using encryption. Any data pulled from a web API or submitted directly to the Stitch Import API will use SSL-based encryption.

For data stored in a database, we can use the encryption functionality built into the database. For example, our Postgres integration supports SSL-encrypted connections.

For databases that don’t support encryption, or if encryption isn’t activated on a database, we can transport the data through an SSH tunnel to ensure it stays secure. After we receive your data, it will not leave our network without being encrypted.

We are PCI compliant.

We are not HIPAA compliant.

All payment information you use to pay for your Stitch subscription is handled in a PCI-compliant manner. However, you shouldn't send data covered under PCI to us for analysis. We really, really don’t want it.

Before your data is loaded into your data warehouse, it passes through Stitch's secure infrastructure. This is a closed network protected by multi-factor authentication and accessible only to qualified members of our engineering team. On rare occasions, our engineers may need to read or move the data while it is in our infrastructure to debug or resolve an operational issue.

When this happens, your data will never leave our infrastructure. All members of our team - not just our engineers - have signed non-disclosure agreements. We're committed to ensuring your data remains private.

As for your data warehouse, we will never access it without your explicit permission. We’ll ask every time it’s required to troubleshoot an issue and we’ll be sure to notify you when we’re doing it. No one likes surprises, least of all when it comes to their private data.

Yes. SSL connections are currently supported for:

Any database connected to Stitch using SSL must have SSL support turned on. To use SSL, just click the Connect using SSL checkbox underneath the Encryption Type menu in any of the credential pages of the databases listed above.

For Heroku-specific instructions regarding SSL, we recommend checking out their documentation.

You can also dive into the PostgreSQL SSL docs to learn more.

Not currently. If you're interested in adding support for VPN connections, please contact our support team with your use case. We're always interested in exploring the possibility of the features our customers want, so please don't hesitate.

The access we need to successfully pull your data from a SaaS integration depends entirely on how that vendor’s API functions. In some cases, we only need read-only access to pull all the data required - in others, we need full access.

Regardless of the level of permissions we need for an integration, we will only ever read your data.

To keep your database data secure, we recommend using our SSH and SSL features to ensure your data stays secure and encrypted in transit. Additionally, we encourage you to require strong passwords for database users.

To keep your SaaS data secure, we recommend that you keep your API keys private and don’t share your login credentials - for Stitch or any other service - with anyone.

All credentials used to access other systems (i.e., your database or a SaaS integration) are encrypted before we store them.

Our data centers are protected by electronic security and intrusion detection systems and a 24/7/365 human staff. Our operating systems and other software are kept up to date with the latest security patches. Our network is protected by dedicated firewall services to prevent unauthorized access, and our systems regularly undergo automated vulnerability scans.

Those are just our internal measures. We also take great care to ensure your data is secure as it makes its way through Stitch and into your data warehouse.

New features undergo a security review by our team before release, and the security professionals at ^Lift Security perform regular audits and penetration tests on our existing systems.

Stitch is certified under the US-EU and US-SWISS Privacy Shield Programs, meaning any EU or Swiss data transfer will be handled in accordance with the principles laid out in the Privacy Shield Framework.

For more information on Privacy Shield, check out the link above or this FAQ on the program.

If our team verifies a security vulnerability in our system, our first priority it to prevent its exploitation. After it’s contained, we do a thorough analysis to determine the scope of impact and notify affected users within 24 hours.

If you believe you’ve found a security vulnerability in Stitch, we encourage you to let us know right away by emailing security@stitchdata.com. We request that you do not publicly disclose the issue until we have a chance to address it and we won’t pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.

We will respond as quickly as we can and reward the confidential and non-destructive disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users' data (such as bypassing our login process, injecting code into another user's session, or acting on another user's behalf) with some swag. Other issues may be rewarded at our discretion.

If your database(s) or SaaS account(s) have been hacked, we recommend that you:

  1. Immediately recycle any credentials used to access your system or service,
  2. Generate new credentials, and
  3. Update the credentials for the appropriate integration(s) in Stitch.

Our team can help you remediate any data issues that might have occurred as a result of the breach.



Questions? Feedback?

Did this article help? If you have questions or feedback, please reach out to us.