Stackify Security Information
At Stackify, we take seriously our role of safeguarding your company’s sensitive information and recognize the role we play in ensuring that we are a strong link in your data privacy and security ecosystem. This document is provided to share high-level information about the Stackify platform, its security-related features, and the security measures employed by the Stackify team.
Stackify is a cloud-based software platform that can monitor server and application health, error and log activity, and web application performance. The goal of the Stackify platform is to provide teams with unparalleled visibility and insight into application health and behavior, both proactively in a monitoring role as well as reactively in a troubleshooting role, while eliminating the need to login to servers and other resources in order to investigate application problems.
Stackify utilizes a monitoring agent to monitor applications and resources from each server where the agent resides. The agent communicates outbound over port 443 via SSL and encrypts all data in transit, with no inbound ports required to be open and no option for unencrypted transmission of data. In cases where APM+ is enabled, Stackify monitors performance information about queries and web service calls, and a signature for the query and web service is available in APM+ reporting. Stackify does not capture any sensitive information from these requests, and stores only anonymized data about said queries and web service calls.
No extra steps are required to mask sensitive data. By default, the agent collects no sensitive data from your servers, and can be installed safely in many regulated environments as a result.
With Stackify, you can aggregate logging data and errors from within applications via API, and from system resources via the agent if enabled for a given server. All error and log data is encrypted in transit, sent via SSL over port 443. Stackify permanently purges the data from short-term and long-term storage once the data retention length specified by your subscription level is reached for a given set of errors and logs.
Error and log information sent to Stackify should be handled following the same best-practice rules of logging to a log file or other plain text destination to ensure the highest degree of security: mask or omit any sensitive fields that could have compliance implications, and disable log shipping from any sources that you don’t have confidence in and control over.
Stackify is hosted in data centers located in the United States that comply with key industry standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, Singapore MTCS, and more. Stackify’s data centers undergo regular audits to ensure all appropriate safeguards are in place at all times.
All data transmitted to Stackify from your environment is sent over an encrypted SSL channel. All clients receive their own database within our system for added security, performance and scalability. Each client is also issued a unique encryption key that is used throughout the system to encrypt data in transit and at rest. Throughout our user interface and back end systems, multiple checks are performed to ensure that users cannot access data from other clients on accident, via SQL injection, or via query string type hacks.
Stackify’s database servers contain information about the client’s servers and applications. Data stored includes the IP address, server name, basic hardware specs and a list of applications installed on the servers. As part of server monitoring, Stackify stores performance metric data. Basic server info and metric data is not encrypted in storage as it is not considered sensitive and encrypting this volume of data would introduce unnecessary performance challenges.
The one area where Stackify cannot encrypt potentially sensitive data at rest is for error and log information. As cited above, please mask or omit any kind of PII or compliance-oriented data that you wouldn’t want stored as plain text; if you are following best-practice logging guidance already, this will already be addressed.
Users in Stackify are stored using email addresses as usernames, and a single email address may be associated with a single user in a single customer account. Each customer account may have unlimited users. Stackify provides a robust set of user and role based access controls to enable account administrators to control which resources, data, and permissions are available for all users of the account. Customers are responsible for managing users and permissions for their account.
In addition, Stackify also offers 2-Factor Authentication and Single Sign-On for enhanced security for your account.
By following Stackify’s installation best practice recommendations, it is possible to implement Stackify in a manner that does not interfere with compliance obligations.
When implementing in a healthcare environment, it is possible to implement Stackify without impacting HIPAA compliance obligations. By following the guidance in this document, Stackify will not receive any protected health information.
In a PCI compliant environment, it is possible to install Stackify behind a proxy server to satisfy the requirement to not allow any direct connections between the internet and the cardholder data environment.
For a more indepth discussion about how Stackify fits into a regulated environment, or to discuss other regulatory environments than those listed above, please contact Stackify Support ( [email protected] ).
If at any time you are concerned that a security incident may have occurred or have a security-related question, please contact support immediately at [email protected] or visit our support site at https://support.stackify.com. In the event that Stackify detects a security-incident, we will proactively communicate, as appropriate, through email and/or our support site.