We take securing your data seriously. Here’s what we do to ensure that your private data stays private and our recommended best practices for protecting your data.
All payment information submitted through Stitch’s billing interface to pay for your subscription is handled in a PCI-compliant manner.
To inquire about replicating data subject to PCI requirements, reach out to our support team.
Stitch can replicate data in a HIPAA-compliant manner as part of an Enterprise plan.
To learn more replicating data subject to HIPAA compliance with Stitch, refer to the Operating Stitch in Compliance with HIPAA doc or contact the Stitch Sales team by using the contact form on the Stitch website.
Note: There are requirements outside of Stitch configuration that must be completed to ensure compliance. Reach out to Stitch Sales before replicating any sensitive data.
All credentials used to access other systems (i.e., your database or a SaaS integration) are encrypted before we store them.
Your data is always encrypted in transit and at rest within the Stitch environment. We offer several ways to get data into Stitch using encryption:
For data pulled from an HTTP API or submitted directly to Stitch’s Import API, we’ll use SSL/TLS-based encryption.
For data replicated from a database, we can use the encryption functionality built into the database, or an SSH tunnel.
Yes. SSL connections are currently supported for:
Database (input) integrations
Destinations (data warehouses)
Any database connected to Stitch using SSL must have SSL support turned on. To use SSL, just click the Connect using SSL checkbox underneath the Encryption Type menu in any of the credential pages of the databases listed above.
For Heroku-specific instructions regarding SSL, we recommend checking out their documentation.
You can also dive into the PostgreSQL SSL docs to learn more.
While VPN connections aren’t currently supported, reverse SSH tunnels may be implemented as part of an Enterprise plan. Contact Stitch Sales for more info.
Before your data is loaded into your data warehouse, it passes through Stitch’s secure infrastructure. This is a closed network protected by multi-factor authentication and accessible only to qualified members of our engineering team. On rare occasions, our engineers may need to read or move the data while it is in our infrastructure to debug or resolve an operational issue.
When this happens, your data will never leave our infrastructure. All members of our team - not just our engineers - have signed non-disclosure agreements. We’re committed to ensuring your data remains private.
As for your data warehouse, we will never access it without your explicit permission. We’ll ask every time it’s required to troubleshoot an issue and we’ll be sure to notify you when we’re doing it. No one likes surprises, least of all when it comes to their private data.
The access we need to successfully pull your data from a SaaS integration depends entirely on the vendor’s API and permission structure. In some cases, we only need read-only access to pull all the data required - in others, we need what amounts to full access.
Regardless of the level of permissions we need for an integration, we will only ever read your data.
Protocols & Recommendations
- Our data centers are protected by electronic security, intrusion detection systems, and a 24/7/365 human staff.
- Our operating systems and other software are kept up to date with the latest security patches.
- Our network is protected by dedicated firewall services to prevent unauthorized access, and our systems regularly undergo automated vulnerability scans.
Those are just our internal measures. We also take great care to ensure your data is secure as it makes its way through Stitch and into your data warehouse.
New features undergo a security review by our team before release. In addition, security professionals conduct regular audits and penetration tests on our existing systems.
For your database data, we recommend using our SSH and SSL features to ensure your data stays secure and encrypted in transit. Additionally, we encourage you to require strong passwords for database users.
For your SaaS data, we recommend that you keep your API keys private and don’t share your login credentials - for Stitch or any other service - with anyone.
If our team verifies a security vulnerability in our system, our first priority is to prevent its exploitation. After it’s contained, we do a thorough analysis to determine the scope of impact and notify affected users within 24 hours.
If you believe you’ve found a security vulnerability in Stitch, we encourage you to let us know right away by emailing firstname.lastname@example.org. We request that you do not publicly disclose the issue until we have a chance to address it. We won’t pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.
We will respond as quickly as we can and reward the confidential and non-destructive disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as bypassing our login process, injecting code into another user’s session, or acting on another user’s behalf) with some swag. Other issues may be rewarded at our discretion.
If your database(s) or SaaS account(s) have been hacked, we recommend that you:
- Immediately recycle any credentials used to access your system or service,
- Generate new credentials, and
- Update the credentials for the appropriate integration(s) in Stitch.
Our team can help you remediate any data issues that might have occurred as a result of the breach.