To deliver our services while protecting the confidentiality, integrity, and availability for all our customers, we operate under a shared security responsibility model. This model is adopted by many organizations to identify the respective responsibilities of Stytch and our customers. In this model, Stytch is responsible for the security of the Stytch services and Stytch customers are responsible for the security of their specific configurations within the respective implementations of Stytch services.
Stytch’s responsibility: Stytch is responsible for the security of the services and underlying infrastructure.
Customer responsibility: Stytch customers are responsible for securing their respective configurations and permissions that they enable within Stytch services for their projects. This includes ensuring that customer projects have the correct user permissions set, keys and tokens are appropriately secured within your internal systems, IPs are validated, etc.
Infrastructure & physical security
Stytch leverages highly available and secure cloud infrastructure across multiple platforms to ensure that our services are always available and securely delivered.
All Stytch hardware and networking is routinely updated and audited to ensure systems are secure and that least privileged access is followed. Additionally we implement robust logging and audit protocols that allow us high visibility into system use.
Security of Stytch services starts with our employees, which is why we foster a culture of security and approach every question with an eye towards safety. Upon hire and annually thereafter, all employees complete training courses designed to cover Stytch information security practices, privacy practices and requirements, as well as responding to social engineering attacks. Software developers are also required to complete additional courses related to secure software development.
Stytch follows the principles of least privilege and segregation of duties wherever possible. Stytch requires that all access to its infrastructure, applications, and data be controlled based on business and operational requirements with users only being provisioned the minimum set of privileges required to perform their required job responsibilities.
When personnel leave Stytch, all of their respective user accounts, passwords, hardware, and badges are revoked.
Service level security
Policies and procedures are in place for handling data processed, stored, and transmitted by Stytch. Data elements are inventoried and classified according to their sensitivity and applicable audience in accordance with Stytch’s Data Classification Policy. Customer confidential data is retained in accordance with contractual terms and regulatory requirements.
Stytch requires requests to Stytch services to be encrypted using Transport Layer Security (TLS) using certificates from an established third party certificate authority. Sensitive data is encrypted at rest using Advanced Encryption Standard (AES) 256-bit encryption algorithm or better.
As part of our security program, we conduct internal security tests, third party penetration tests, and respond to reported vulnerabilities from the public. Identified vulnerabilities are triaged and mitigated in accordance with contractual requirements and internal service level agreements.
Responsible disclosure program
Here at Stytch, we take the security of our user’s data and of our services seriously. As such, we encourage responsible security research on Stytch services and products. If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at email@example.com. We will acknowledge your email within 2 business days. As public disclosures of a security vulnerability could put the entire Stytch community at risk, we ask that you keep such potential vulnerabilities confidential until we are able to address them. We aim to resolve critical issues within 30 days of disclosure. Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Stytch service. Please only interact with accounts you own or for which you have explicit permission from the account holder. While researching, please refrain from:
- Distributed Denial of Service (DDoS)
- Social engineering or phishing of Stytch employees or contractors
- Any attacks against Stytch’s physical property or data centers
Thank you for helping to keep Stytch and our users safe!