Stamplay entirely run on
Amazon Web Services facilities, hosted in Ireland. Web servers and databases run on servers in
secure data centers with high reliability. Physical access is restricted to authorized personnel. Premises
are monitored and access is logged.
Stamplay servers may also allow SSH access (protected by TLS and private key authentication) for administration. Administrative access is granted only to a selected group of developers of Stamplay. Also the access by the application to the database used in the Stamplay service is over an encrypted link (TLS). All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Stamplay services encrypt data in transit using HTTPS and logically isolate customer data. Stamplay sticks to the current
best practices for security, including the use of strong encryption algorithms with a key length of at least 128
All data stored in Stamplay is encrypted at rest.
Clients can access their Stamplay account using a password which is known only to them or by using secure the third party authentication with Google. Clients are required to have reasonably strong passwords. Passwords of users logging on Stamplay without third parties are not stored. Only a secure hash (bcrypt) of the password is stored in our databases. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party. When Stamplay flows connect to an external system using user-supplied credentials, where possible this is done using OAuth, and in those cases, no credentials need to be stored in Stamplay servers. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.
Stamplay developers have been trained in secure coding practices. We have fully functional automation systems in place which enable us to deploy changes to any of our applications in minutes. We typically deploy dozens of times a week - so we are well placed to roll out a security fix quickly, should the need arise. Stamplay platform architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Stamplay platform uses industry standard, high-strength algorithms including AES and bcrypt.
Stamplay removes sensitive data such as API keys and access tokens from flow run log data stored. We only store the data we need to - that which is required for accessing your account, connecting with your different third party tools, and debugging workflows.
Stamplay does not store credit card information on its servers. All payments are processed through the leading online payments provider, Stripe. For more information about PCI compliance and Stripe’s other security features, see stripe.com/docs/security