Technical and Organizational Security Measures#
Stakater Cloud meet the specific requirements of data protection, including, without limitation, Article 28 of the General Data Protection Regulation GDPR and which are listed as SOC 2 Type 2 (Security & Confidentiality).
At a minimum, Stakater has implemented for the Stakater Cloud the technical and organizational measures and maintains security practices within the production environments as follows:
Confidentiality of processing systems#
Identity and Access Management#
- Role-based access controls are enforced using predefined security groups to segregate and manage data access to production systems.
- Administrative access to production systems is restricted to authorized personnel and granted solely based on their job roles and responsibilities.
Audit Assurance: Compliance, Governance and Risk Management#
- Stakater conducts annual security operational risk assessments for production applications and services. The findings are documented in a risk register, with identified risks prioritized for treatment based on their severity.
- Stakater evaluates the security of third-party vendors through a vendor security review, specifically focusing on vendors that store, process, or transmit Stakater and/or customer data.
- Stakater implements risk-based continuous control monitoring by performing control testing throughout the year using a structured methodology. Testing results are documented, reviewed by management, and accompanied by remediation plans for any identified issues.
- Controlled documents undergo annual review and approval by management, with updates communicated to relevant employees to ensure alignment and compliance.
Human Resources#
- Stakater team members complete security awareness training upon hire and annually thereafter. The training includes relevant Stakater security policies, instructions for reporting security incidents and general industry security best practices.
- Stakater new hires are required to pass a background check as a condition of their employment.
Integrity of processing systems#
Application & Infrastructure Security#
- Infrastructure and configuration management tools are employed to implement security hardening and establish standardized baseline configurations for production servers.
- Network traffic originating from or directed to untrusted networks is routed through a policy enforcement point, with firewall rules configured to block unauthorized access effectively.
- A centralized issue tracking system is utilized to manage, monitor, and document application and infrastructure changes throughout their lifecycle, from development to implementation.
Threat and Vulnerability Management#
- Stakater conducts regular vulnerability scans on the production environment to identify threats, assess their impact, and remediate findings based on severity.
- Continuous monitoring tools track security events, system latency, network performance, and physical server health in real time.
- Incident response procedures define steps for managing security events, including recovery and post-incident analysis to improve effectiveness.
Availability of processing systems#
Resilience#
- A business continuity plan is established to provide clear procedures for protecting operations against disruptions caused by unexpected events, with annual tabletop exercises conducted to validate its effectiveness.
- Enterprise monitoring tools are configured to track system capacity levels and promptly alert operations personnel when predefined thresholds are reached, ensuring proactive management of resources.
Additional Considerations#
- Stakater Cloud is designed to enable customers to delete their data when it is no longer needed.
- Digital Realty and OpenMetal are responsible for implementing controls to manage both physical access to servers and supporting infrastructure that host Stakater Cloud.
- Customers can choose to implement technical and organizational measures to safeguard their own (Red) data.