Security
Security Program and Risk Management
PartnerStack has established a comprehensive security program based on AICPA Trust Services Criteria (TSC) 2017 for security, confidentiality, availability, processing integrity, and privacy.
PartnerStack performs an annual risk assessment to gain an accurate and comprehensive identification, review, and remediation of risks and vulnerabilities that may impact the platform's commitment to security, confidentiality, availability, processing integrity, and privacy.
Compliance
PartnerStack platform is SOC 2 Type 2 compliant against security, confidentiality, availability, processing integrity, and privacy.
For a copy of the SOC 2 Type 2 report, please submit a request to Our Data Room and inform your account manager.
Data encryption in-transit and at-rest
PartnerStack enforces TLS1.2 and above for data in transit between its users and the platform.
PartnerStack production data is encrypted at rest using AES-256 encryption.
SAML 2.0 SSO
PartnerStack supports the industry standard SAML 2.0 protocol for authentication using an external identity provider.
Confidentiality and Monitoring
PartnerStack enforces principles of least privilege and enforces access to data on a need to know and operate basis.
PartnerStack has established extensive audit and monitoring controls to help ensure auditability of access functions performed internally and externally.
PartnerStack platform enforces granular role-based access control for its users.
Network Protections
PartnerStack has implemented private networking, firewalls, and segmentation controls through its suppliers to ensure alignment with best practices on its network infrastructure.
Penetration Testing
PartnerStack performs targeted and general penetration testing on its platform on at least an annual basis.
Vulnerability Management
PartnerStack performs real-time static code analysis for core application code as part of the deployment process.
PartnerStack performs container vulnerability scanning as part of its deployment process.
PartnerStack has established a vulnerability management process that addresses risks in the following target SLA:
Zero Day / Critical: 7 days
High: 30 days
Medium: 90 days
Low/Info: 180 days+ (dependent on overall risk assessment)
Supplier Risk Management
PartnerStack has implemented a comprehensive supplier risk management policies and procedures to ensure protection of assets and data that are accessible by its suppliers and to establish standards for information security, privacy, and service delivery from its suppliers.
Human Resources Security
PartnerStack conducts background checks for all applicants selected for full-time employment.
PartnerStack employees and related entities are subject to continuous security awareness training with a minimum annual cadence.
Business Continuity and Availability
PartnerStack has documented and implemented a business continuity and disaster recovery plan that may be activated in case defined disruptions.
PartnerStack enforces automated daily backups for its databases on multiple zones.
PartnerStack tests its business continuity and disaster recovery scenarios at least annually.
Reliability and Capacity Monitoring
PartnerStack has a comprehensive monitoring system that helps to ensure the reliability of the platform and its related components.
Bug Bounty and Vulnerability Reports
PartnerStack does not currently have a formal bug bounty program but we encourage all researchers to submit identified vulnerabilities with a summary and a proof of concept (POC) to security@partnerstack.com and our team will respond as soon as possible.
