Skip to content

SECURITY

Security &
Trust.

Resources to make you feel confident in choosing us. As a data company, we understand the importance of keeping your data secure — Stacksync is built with security best practices to keep your data safe at every layer.

Book a demo
SECURITY

Security teams love Stacksync

As a data company, we understand the importance of keeping your data secure. Stacksync is built with security best practices to keep your data safe at every layer.

Learn more about security
SOC 2 type II
ISO 27001
HIPAA BAA
GDPR
CCPA
DPF US, EU, UK, CH
CSA STAR
→ SECURITY WITH BENEFITS

SSO & SCIM

Let your users access Stacksync from your centralized user management systems. Works with Okta, Azure, Google SSO and more.

Alerts

Immediately get alerted about record syncing issues over email, Slack, PagerDuty and WhatsApp. Resolve issues from a centralized dashboard with retry and revert options.

Secure connection options

Securely connects to your systems with:

OAuth 2SSH TunnellingSSL certificatesIP WhitelistingVPN gatewayVPC peering and more

ENTERPRISE-GRADE PROTECTION

Stacksync security enterprise-grade protection.

Three commitments that make Stacksync safe to put on the critical path of your CRM, ERP and warehouse.

  • 01

    Military-grade encryption

    All data is encrypted in transit with TLS 1.2+ and at rest with AES-256. Keys are rotated regularly and access is strictly audited.

  • 02

    Data never persists

    Stacksync processes records in-flight. We don't store your business data — sync payloads and workflow events are kept only as long as required to deliver them.

  • 03

    Advanced connection security

    OAuth 2, SSH tunnelling, SSL certificates, IP whitelisting, VPN gateway and VPC peering — pick the connection model your security team has already approved.

ENTERPRISE CAPABILITIES

Enhance your data security

Production-grade controls available on enterprise plans, designed for regulated industries and global teams.

  • Private networking

    VPC peering, AWS PrivateLink, and customer-managed VPN gateways. Keep traffic off the public internet.

  • Regional processing

    Choose where your data is processed — US, EU, or UK regions to meet residency requirements.

  • MFA & SSO enforcement

    Enforce multi-factor authentication and SSO across the workspace. SCIM provisioning keeps your directory in sync.

  • GovCloud-ready

    Deployments compatible with AWS GovCloud and other regulated environments. FedRAMP-aligned controls.

RECOMMENDED RESOURCES

Security at a glance

The documents your security review team will ask for, plus the live status of every control.

FAQ

Frequently asked questions

How is data encrypted at rest and in transit?

All data in transit uses TLS 1.2 or higher. Data at rest is encrypted with AES-256 using per-tenant keys managed in a hardware-backed key vault. Credentials and secrets are stored separately with rotation enforced every 90 days. Enterprise customers can supply customer-managed encryption keys (CMEK) via AWS KMS or GCP KMS so the underlying keys never leave the customer environment.

Does Stacksync support SSO and MFA?

Yes. SSO via SAML 2.0 (Okta, Azure AD, Google Workspace, OneLogin, Ping, Auth0) and OIDC. MFA is enforceable at the organization level — admins can require MFA on all logins, all admin actions, or both. SCIM 2.0 provisioning is supported for user lifecycle automation. Just-in-time provisioning maps SSO group claims to Stacksync roles automatically.

How are credentials and secrets stored?

Connection credentials (OAuth tokens, API keys, database passwords) are encrypted with per-tenant keys and stored in a hardware-backed key vault that is isolated from the application database. Decryption happens only at the moment a sync needs to authenticate — keys never sit in memory longer than the request. Audit logs capture every credential access. Customer-managed keys via AWS KMS or GCP KMS are available for enterprise plans.

What is your incident response process?

Stacksync runs a documented incident response process aligned to NIST SP 800-61. Severity 1 incidents (production data exposure or unavailability) trigger 24/7 on-call within 5 minutes; the customer-facing status page is updated within 30 minutes. Post-incident, every Sev-1 receives a public root-cause analysis. Customers can subscribe to status-page changes via email, RSS, or Slack webhook.

Do you support IP allowlisting and processing regions?

Yes. Enterprise customers can restrict Stacksync to a configurable IP allowlist (single CIDR or list). Data processing regions can be pinned to US, EU, or APAC for data-residency requirements; in pinned mode, no customer data leaves the chosen region for any reason. Per-connection region pinning is available for multi-region deployments where some flows must stay regional.

How do you handle vulnerability disclosure?

Stacksync runs a public vulnerability disclosure program. Report findings to security@stacksync.com. Reports are acknowledged within 24 hours; the security team triages within 72 hours and provides a remediation timeline. Critical findings ship same-day; high severity within 7 days. Responsible disclosure is acknowledged on the public security page (with reporter permission). A formal bug bounty program is in pilot.

Is there a public penetration test report?

Stacksync runs annual third-party penetration tests covering the application, infrastructure, and key integrations. The executive summary is published; the full report is available under NDA. The most recent test ran in Q1 2026 against the production environment with full source-code access — no critical or high findings. Quarterly internal penetration testing and continuous vulnerability scanning supplement the annual external test.