SECURITY

At StackHawk, we know firsthand how important it is to ensure your data is safe. We continually invest in our internal security program and make our policies and practices transparent, so our customers can be confident in choosing StackHawk as an application security testing provider.

Submit Vulnerability

Together, our vigilant expertise promotes the continued security and privacy of StackHawk, Inc. customers, products, and services.

We are commited to protecting our clients

Governance

StackHawk is audited annually against the ISAE3402 SOC2 Type II standard and undergoes penetration tests once a year at a minimum. The CEO is the executive sponsor of the ISMS and receives monthly updates from the Information Security & Risk team. StackHawk is happy to provide a copy of our SOC2 report and external penetration report on request.

Employee Controls

StackHawk employees are subject to background checks, including the right to work, employment history, and criminal records check, as permitted by law.

Additionally, all employees are required to sign confidentiality clauses as part of their acceptance of employment and must read and agree to our security policies as part of the employee onboarding process.

Beyond onboarding, employees receive security awareness training upon hire and throughout the year as part of an ongoing structured program.

Access Control

We use GSuite as our central directory, which enforces multi-factor authentication logins for heightened security.

Within the application, all administrative activity from both customers and StackHawk is logged and retained for at least 90 days.

Access to tools is provisioned on a role basis according to the principles of least privilege, and access reviews are conducted yearly. Starter-mover-leaver processes are managed according to a formal, ticket-based process, and access to core tools is removed within 24 hours.

Logging and Monitoring

Systems and network. StackHawk’s systems and network are monitored for security incidents, health abnormalities and availability.

Production cluster. Our production cluster is monitored by Guard Duty and AWS WAF.

User laptops. All user laptops are running a centralized JAMF EDR client. StackHawk’s Information Security team is alerted of any suspected or actual incidents or abnormalities.

Cryptography

• Sensitive customer data is encrypted at rest with AES-256
• Data is encrypted in transmission with at least TLS 1.2

Vulnerability Management

StackHawk maintains a formal vulnerability management program where internal scanning is carried out against our infrastructure on a regularly scheduled basis, and external penetration scanning is conducted by a third party at least annually.

Secure SDLC

• SCA
• DAST
• Independent validation of code changes
• Unit and Integration Testing
• Linting

Supply Chain Risk Management

All security-impacting suppliers of StackHawk must undergo a security audit and sign standardized contractual security terms that are reviewed at least annually, or sooner if significant changes occur to service offerings or access requirements.

Incident Response

StackHawk operates a formal incident management framework supported by senior engineering leadership and the Information Security team that is reviewed at least annually. Part of that framework includes informing customers of any security incident that impacts their data within 72 hours of discovery.

Disaster Recovery / Business Continuity

Redundancy & hot-standby. Each AWS SQL deployment includes a mirror replica setup as a hot-standby with data synchronized up to the speed of shipping data increments between AWS data centers. The AWS SQL service is set up for auto-failover allowing a seamless takeover of the hot-backup in case the master instance fails.

Additionally, the mirrored replica resides in a separate AWS availability zone, and availability zones are physically separate in AWS’s data center, enabling the continuity of StackHawk services even in the unlikely event that one of AWS data centers becomes unavailable.

Snapshots & point-in-time backups. Full database snapshots are taken daily and stored for a minimum of 90 days. Daily backups provide a last resort recovery in case of massive data corruption or loss.

Privacy

The StackHawk Operations and Legal team is responsible for managing privacy compliance and processes, along with support from the Information Security team.

Our Privacy Policy and Sub-Processor details are publicly available at all times via privacy policy

Cyber Liability Insurance

StackHawk maintains cyber liability insurance with a limit of $3,000,000 per event and $3,000,000 aggregate.