Security Architecture Document

Encryption

Stormly encrypts all data using TLS where possible, making sure encryption is applied to data:

  1. in use (frequently updated information, usually accessed by multiple users within a network).
  2. in flight (data being transferred outside the network).
  3. at rest (static data stored locally on hard drives that are not often accessed or modified and can be thought of as archived). Examples: Client database backups, Clients’ End-User Data backups stored in Client projects.
Data in use, in flight, and rest are encrypted according to what is deemed sufficient according the data protection legislation requirements.

Backup Retention

Backups (of Clients’ End-User Data) are kept for a retention period of a maximum of 6 months, after which they are permanently removed.

Code Quality

Any code changes to Stormly are tested with automatic processes, as well as manual peer reviews of code, to minimize the potential for security issues in the code.

Monitoring

Stormly infrastructure is continuously monitored for irregularities to detect any potential abuse.

Isolation

The Stormly infrastructure treats any user and its actions on the Service as a privileged user with full access. Because of this, we built Stormly applications and services around the concept of logical separation, making sure that all resources that belong to that organization (such as plugins, analysis or data being run, but also analytics data in rest) and/or project within an organization, cannot be accessed by other users that are not authorized to do so.

Subprocessors

Data of Stormy's Clients is processed and/or stored by third-party providers. See “Data Processing Agreement”, "Article 7. Subprocessing" for more details. The following lists all third-party providers that process and/or store Client data:

  1. Amazon AWS (US):
    1. GDPR: https://aws.amazon.com/compliance/gdpr-center
      Security Program: https://aws.amazon.com/compliance/programs
  2. Backblaze (US):
    1. GDPR: https://help.backblaze.com/hc/en-us/sections/360000902933-GDPR-General-Data-Protection-Regulation-
  3. Vultr (US):
    1. GDPR: https://www.vultr.com/legal/gdpr/
      DPA: https://www.vultr.com/legal/vultr_gdpr_dpa.pdf
  4. Hetzner (EU):
    1. DPA: Download DPA
      GDPR: https://wiki.hetzner.de/index.php/Datenschutz-FAQ

Disclosing Vulnerabilities

We’re happy to receive any potential security issues from our users. Send an email to security@stormly.com detailing the steps to reproduce the security issue or a proof-of-concept. We handle all security disclosures as good as we can, by working together with you where possible.