We take securing your data seriously. Here’s what we do to ensure that your private data stays private and our recommended best practices for protecting your data.

Compliance

Is Stitch SOC 2 compliant?

Stitch has been certified compliant with the SOC 2 security, availability, and confidentiality principles by an independent auditor. The audit report can be requested by contacting Stitch Sales.

Is Stitch PCI compliant?

All payment information submitted through Stitch’s billing interface to pay for your subscription is handled in a PCI-compliant manner.

To inquire about replicating data subject to PCI requirements, reach out to our support team.

Is Stitch HIPAA compliant?

Stitch can replicate data in a HIPAA-compliant manner as part of an Enterprise plan.

To learn more replicating data subject to HIPAA compliance with Stitch, refer to the Operating Stitch in Compliance with HIPAA doc or contact the Stitch Sales team by using the contact form on the Stitch website.

Note: There are requirements outside of Stitch configuration that must be completed to ensure compliance. Reach out to Stitch Sales before replicating any sensitive data.

Does Stitch comply with GDPR and EU privacy laws?

Stitch is in full compliance with the European Union’s Global Data Protection Regulation (GDPR).

The Stitch Terms of Use includes a Data Processing Addendum (DPA) that enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU. The Stitch Privacy Policy also includes specific GDPR requirements.

Stitch is certified under the US-EU and US-SWISS Privacy Shield Programs, meaning any EU or Swiss data transfer will be handled in accordance with the principles laid out in the Privacy Shield Framework.

For more information on Privacy Shield, check out the link above or this FAQ on the program.

Encryption

How are credentials handled after they're entered into Stitch?

All credentials used to access other systems (i.e., your database or a SaaS integration) are encrypted before we store them.

Is my data encrypted in transit? Is it encrypted at rest?

Your data is always encrypted in transit and at rest within the Stitch environment. We offer several ways to get data into Stitch using encryption:

  • For data pulled from an HTTP API or submitted directly to Stitch’s Import API, we’ll use SSL/TLS-based encryption.

  • For data replicated from a database, we can use the encryption functionality built into the database, or an SSH tunnel.

Are SSL connections supported?

Yes. SSL connections are currently supported for:

Any database connected to Stitch using SSL must have SSL support turned on. To use SSL, just click the Connect using SSL checkbox underneath the Encryption Type menu in any of the credential pages of the databases listed above.

For Heroku-specific instructions regarding SSL, we recommend checking out their documentation.

You can also dive into the PostgreSQL SSL docs to learn more.

Are VPN or reverse SSH tunnel connections supported?

Additional connection options such as VPNs or reverse SSH tunnels may be implemented as part of an Enterprise plan. Contact Stitch Sales for more info.

Data Access

What are Stitch's policies regarding access to my data?

Before your data is loaded into your data warehouse, it passes through Stitch’s secure infrastructure. This is a closed network protected by multi-factor authentication and accessible only to qualified members of our engineering team. On rare occasions, our engineers may need to read or move the data while it is in our infrastructure to debug or resolve an operational issue.

When this happens, your data will never leave our infrastructure. All members of our team - not just our engineers - have signed non-disclosure agreements. We’re committed to ensuring your data remains private.

As for your data warehouse, we will never access it without your explicit permission. We’ll ask every time it’s required to troubleshoot an issue and we’ll be sure to notify you when we’re doing it. No one likes surprises, least of all when it comes to their private data.

Why is full access required for some SaaS integrations?

The access we need to successfully pull your data from a SaaS integration depends entirely on the vendor’s API and permission structure. In some cases, we only need read-only access to pull all the data required - in others, we need what amounts to full access.

Regardless of the level of permissions we need for an integration, we will only ever read your data.

Protocols & Recommendations

What security protocols does Stitch have in place?

  • Our data centers are protected by electronic security, intrusion detection systems, and a 24/7/365 human staff.
  • Our operating systems and other software are kept up to date with the latest security patches.
  • Our network is protected by dedicated firewall services to prevent unauthorized access, and our systems regularly undergo automated vulnerability scans.

Those are just our internal measures. We also take great care to ensure your data is secure as it makes its way through Stitch and into your data warehouse.

Does Stitch undergo any security audits?

New features undergo a security review by our team before release. In addition, security professionals conduct regular audits and penetration tests on our existing systems.

What are Stitch's recommendations for keeping my data secure?

For your database data, we recommend using our SSH and SSL features to ensure your data stays secure and encrypted in transit. Additionally, we encourage you to require strong passwords for database users.

For your SaaS data, we recommend that you keep your API keys private and don’t share your login credentials - for Stitch or any other service - with anyone.

Security Issues

What's Stitch's policy on informing customers about security breaches?

If our team verifies a security vulnerability in our system, our first priority is to prevent its exploitation. After it’s contained, we do a thorough analysis to determine the scope of impact and notify affected users within 24 hours.

How do I report a security issue?

If you believe you’ve found a security vulnerability in Stitch, we encourage you to let us know right away by emailing security@stitchdata.com. We request that you do not publicly disclose the issue until we have a chance to address it. We won’t pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.

We will respond as quickly as we can and reward the confidential and non-destructive disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as bypassing our login process, injecting code into another user’s session, or acting on another user’s behalf) with some swag. Other issues may be rewarded at our discretion.

What should I do if one of my data sources is hacked?

If your database(s) or SaaS account(s) have been hacked, we recommend that you:

  1. Immediately recycle any credentials used to access your system or service,
  2. Generate new credentials, and
  3. Update the credentials for the appropriate integration(s) in Stitch.

Our team can help you remediate any data issues that might have occurred as a result of the breach.

Related Troubleshooting
Questions? Feedback?

Did this article help? If you have questions or feedback, feel free to submit a pull request with your suggestions, open an issue on GitHub, or reach out to us.