At Stamplay we are focused on providing a secure and reliable platform service using proven the best-in-class technologies, practices and procedures.
Stamplay entirely run on Amazon Web Services. Web servers and databases run on servers in secure data centers with high reliability. Physical access is restricted to authorized personnel. Premises are monitored and access is logged. More info about AWS certifications and security can be read on aws.amazon.com/security
Stamplay run with a complex microservice base architecture composed by Linux virtual machines. The machines are isolated from one another and from the underlying hardware layer. Server processes can't access to the local filesystem and are restricted to a particular directory.
Stamplay is accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Stamplay stick to the current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits. Some servers allow SSH access (protected by TLS and private key authentication) for administration. Administrative access is granted only to a selected group of developers of Stamplay. Also the access by the application to the database used in the Stamplay service is over an encrypted link (TLS). All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Clients can access their Stamplay account using a password which is known only to them or by using secure the third party authentication with Google. Clients are required to have reasonably strong passwords. Passwords of users logging on Stamplay without third parties are not stored. Only a secure hash of the password is stored in our databases. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party. When Stamplay flows connect to an external system using user-supplied credentials, where possible this is done using OAuth, and in those cases, no credentials need to be stored in Stamplay servers. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.
Stamplay developers have been trained in secure coding practices. We have fully functional automation systems in place which enable us to deploy changes to any of our applications in minutes. We typically deploy dozens of times a week - so we are well placed to roll out a security fix quickly, should the need arise. Stamplay application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. The Stamplay application uses industry standard, high-strength algorithms including AES and bcrypt.
Stamplay removes sensitive data such as API keys and access tokens from workflow run log data stored. We only store the data we need to - that which is required for accessing your account, connecting with your different third party tools, and debugging workflows. All transaction data is always encrypted in transit and when stored in Stamplay's platform.
Stamplay does not store credit card information on its servers. All payments are processed through the leading online payments provider, Stripe. For more information about PCI compliance and Stripe’s other security features, see stripe.com/docs/security