Protecting the confidentiality and integrity of our customer’s data is of the utmost importance to Steerlab.
Our infrastructure is built following a multi-tier and microservices architecture. This allows us to provide a resilient and scalable platform that meets the growing customer’s demands. We use Amazon Web Services (AWS) as a cloud provider and implement modern approaches such as multi-stage deployments, auto-scaling, Application Load Balancers, etc.
Our platform is designed with built-in redundancy and is deployed across multiple cloud availability zones to guarantee consistent uptime and high availability. We also ensure rapid recovery in the event of disaster following a specific Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
We automate our deployments through Continuous Integration and Continuous Deployment (CI/CD), utilize Infrastructure as Code (IAC) and observability tooling.
We utilize firewalls to protect our services and servers. We use automated scanners to detect and address potential vulnerabilities.
Each service is only granted the minimal level of access required to perform its goal. Permissions are reviewed regularly and are revoked when no longer needed.
Cloud resources follow strict segregation between development, staging/QA and production environments. The same applies to data, see below.
We enforce the use of Multi Factor Authentication (MFA) internally for our employees. When using Steerlab, an admin on your side can also enforce MFA for users and/or integrate through SSO.
For users within Steerlab we also offer fine-grained access: Admin, Contributor, Proposal Manager, etc.
Our network communication goes through HTTPS and is encrypted using industry standard SSL/TLS v1.2 to ensure secure communications.
We encrypt data when it’s at rest following industry standard encryption AES-256.
When data is in transit between our internal services or with approved vendors, data is encrypted following industry standard SSL/TLS v1.2.
Our data is securely stored in AWS regions in Europe and replicated across multiple regions within Europe for high availability.
We apply strict isolation of customer environments and their data. Our architecture implements explicit tenant isolation and ensures each customer data is logically separated from others in our databases.
We have clearly defined internal policies regarding data classification and data handling policies.
We are SOC2 and have been assessed against five Trust Services Criterias: Security, Availability, Processing Integrity, Confidentiality and Privacy.
We have detailed internal policies and documents that cover a wide range of topics: Data Classification, Network security, Incident Management, etc.
