/
Contact usSee pricingStart building
    Introduction
    Support
      Overview
    Message deliverability
      Overview
      Email troubleshooting
      SMS and WhatsApp troubleshooting
    Platform
      Account enumeration
      Supported browsers
      IP validation
      Rate limits
      App store reviews
      User locks
    Security & trust
      Security
      Privacy
      Compliance
    Glossary
Get support on SlackVisit our developer forum

Contact us

Home

/

Resources

/

Security & trust

/

Security

Overview

Stytch protects the confidentiality, integrity, and availability of your data under a shared responsibility model that identifies the respective responsibilities of Stytch and our customers.

  • Stytch’s responsibility: Stytch is responsible for the security of the services and underlying infrastructure, the implementation of monitoring controls, and the maintenance of policies and procedures to meet our service commitments and system requirements.
  • Customer responsibility: Stytch customers are responsible for securing their respective configurations and permissions enabled within Stytch Services. This includes ensuring that customer workspaces, projects, and environments have the correct users and permissions set, keys and tokens are appropriately secured within your internal systems, IPs are validated, etc.

Infrastructure & physical security

Stytch leverages highly available and secure cloud infrastructure across multiple platforms to ensure that our services are always available and securely delivered.

All Stytch hardware and networking is routinely updated and audited to ensure systems are secure and that least privileged access is followed. Additionally we implement robust logging and audit protocols that allow us high visibility into system use.

Personnel security

Stytch fosters a culture of security and privacy awareness among all personnel. Upon hire and annually thereafter, all employees complete training courses designed to cover Stytch information security practices, privacy practices and requirements, as well as responding to social engineering attacks. Software developers are also required to complete additional training related to secure software development.

Stytch follows the principles of least privilege and segregation of duties wherever possible. Stytch requires that all access to its infrastructure, applications, and data be controlled based on business and operational requirements with users only being provisioned the minimum set of privileges required to perform their required job responsibilities.

When personnel leave Stytch, all of their respective user accounts, passwords, hardware, and badges are immediately revoked.

Service level security

Policies and procedures are in place for handling data processed, stored, and transmitted by Stytch. Data elements are inventoried and classified according to their sensitivity and applicable audience in accordance with Stytch’s Data Classification Policy. Customer confidential data is retained in accordance with contractual terms and regulatory requirements.

Stytch requires requests to Stytch services to be encrypted using Transport Layer Security (TLS) using certificates from an established third party certificate authority. Sensitive data is encrypted at rest using Advanced Encryption Standard (AES) 256-bit encryption algorithm or better.

Security testing & assurance

As part of our security program, we conduct internal security tests, third-party penetration tests, and respond to reported vulnerabilities from the public. Identified vulnerabilities are triaged and mitigated in accordance with Stytch policies and procedures, contractual requirements, and internal service level agreements.

Responsible disclosure program

We take the security of our users’ data and our services seriously. As such, we encourage responsible security research on Stytch services and products. If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@stytch.com. We will acknowledge your email within 2 business days. As public disclosures of a security vulnerability could put the entire Stytch community at risk, we ask that you keep such potential vulnerabilities confidential until we are able to address them. Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Stytch services. Please only interact with accounts you own or for which you have explicit permission from the account holder. While researching, please refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Stytch employees or contractors
  • Any attacks against Stytch’s physical property or data centers

Thank you for helping to keep Stytch and our users safe!

Infrastructure & physical security

Personnel security

Service level security

Security testing & assurance

Responsible disclosure program