It's official: Announcing our SOC 2 Type II Report
Shortly after launching Sturdy, we started our SOC 2 certification process. A SOC 2 report is for services organizations that hold, store, or process the information of their users. You can read more about it here.
Late last year, we obtained our SOC 2 Type I report. This represents a "snapshot", indicating that we have robust controls in place to ensure the security and availability of our customers' data.
Today, we are announcing that Sturdy has obtained a SOC 2 Type II report. This is the most comprehensive SOC protocol, and attests not only to the suitability of our process and systems, but our operational effectiveness of sticking to those controls over a period of time.
The full writeup describes our suite of controls for securing and handling customer data, including:
- System monitoring and ongoing risk assessments
- Internal access control to production environments
- Disaster recovery, data backup, and incident response processes
- Communication of changes to customers
- Employee on-boarding and termination processes
We're proud of this report. It is a reflection of our dedication to security and the product of many months of hard work from our team, particularly Eric Weidner. Our commitment to security is about more than checking a box: every day we make sure that our systems and processes are worthy of the important data our customers trust us with.
Sturdy is a data-centric system of intelligence for post-sales teams. Working with data, including some of our customer's most sensitive information is what we do. We work to earn their trust by putting security and privacy front-and-center. This includes industry-leading controls, data minimization, and a secure-by-design architecture. Perhaps most importantly, we have built a security-conscious culture from Day 1: everyone at Sturdy knows that we solve for security first. You can read more about our processes and approach below.
Security Program
At SturdyAI, the security and integrity of our customer's information is of utmost importance. Therefore, Sturdy has developed and maintains a comprehensive Information Security Management program to manage risks to the security, availability, confidentiality, integrity, and privacy of Sturdy systems and products. Our program has been independently audited and certified to meet the requirements of Trust Services Criteria SOC2 Type II.
Privacy
Sturdy products utilize customer communication data to detect important signals that may have private information included such as names and contact information. To protect the privacy of this information, we maintain policies and processes to comply with data privacy regulations such as CCPA and GDPR and to help our customers comply with their obligations as the controllers of this data. Please see the Sturdy privacy policy for more information on data privacy practices and controls.
Infrastructure
Sturdy utilizes Amazon Web Services (AWS) as the Infrastructure-as-a-Service hosting provider. All data stored in AWS data centers located in the United States. Communications into our services are encrypted-in-transit and data is stored encrypted-at-rest using industry standard encryption mechanisms. Web application firewalls and network management tools such as VPC's, private subnets, and security groups are used to manage the flow of information and access between services. Infrastructure services are defined, managed, and deployed with Infrastructure-as-Code orchestration tools for consistent and repeatable systems.Tenant data is isolated in separate systems and production systems are kept in restricted access accounts separated from the development environments. 3rd-party penetration testing is conducted annually.
Questions about Sturdy's security program? Contact us at security @ sturdy.ai.