The confidentiality, integrity, availability, and authenticity of your organization’s data is very important to us. This article summarizes the approach Stratawise uses to protect data with a focus on frequently asked questions from prospective clients and current customers.
In summary, we protect:
Confidentiality - by practicing privacy by design we work to limit where and when a user's private data is used. Every effort is used to minimize the scope both in terms of data flow and time period for private data. Beyond that, customers’ confidential business data is treated similarly, kept only as long as needed, in limited locations (e.g. primary data store and backup).
Integrity - techniques are used to ensure that data is not altered when in motion between a source and destination.
Availability - it is your data, and it should be accessible at all times. Considerable effort goes into ensuring systems are resilient to potential availability threats, such as denial of service or a bad actor deleting information or shutting down systems.
Authenticity - by ensuring users are authenticated and authorized, we ensure only users that should input, update, or delete data are allowed to. Beyond that, we maintain audit logs for every update made to data or configurations, enabling you to confirm who changed what, when, and from which IP Address.
Standard, public algorithms are used for encryption.
Certificates and associated private keys are managed according to best practices. The keys are kept private utilizing Azure’s Vault.
Encryption in motion utilizes asymmetric key exchange to provide optimal security.
In Motion: All data is encrypted in motion within Stratawise using TLS 1.2.
At Rest: All data is encrypted at rest using Azure’s Transparent Data Encryption (TDE). TDE uses the AES256 algorithm. With TDE, real-time encryption and decryption of the database, associated backups, and transaction logs, are automatically handled.
All accounts required to access Azure have two-factor authentication enabled.
All credentials required to further access resources within Azure are protected using Azure’s Vault to ensure no passwords or keys are stored as plain text.
The principle of least privilege is used to ensure users have minimal permissions, and additional permissions are only granted in order to run or access the current operation assigned to them.
As users change job duties or leave the company, access control processes are followed to ensure access is removed promptly.
Optionally, your organization's identity access mechanism can be used to authenticate through SAML to provide Single Sign-On (SSO). In this way, users do not have to maintain a separate password for logging into Stratawise.
If you have questions regarding security that this article does not address, please contact your Stratawise account manager or email support (firstname.lastname@example.org).