Security Policy
We care about data you entrust with us. We take security and privacy seriously, adhering to stringent enterprise-level security standards that keep all your customer data protected.
Compliance
PCI Level I
Payment Card Industry Data Security Standard
EU/US Privacy Shield
Swiss/US Privacy Shield
Data Privacy Practices
GDPR Compliant
General Data Protection Regulation
Definitions
For the purpose of this Policy, “Stuffix”, “we”, “us”, or “our” refers to Stuffix Inc., the provider of the Helprace website and services, (collectively referred to as the “Helprace Service.”).
Security Team
Stuffix has a globally distributed infrastructure and security team monitoring security notifications 24/7 from all 3rd party software libraries. Our engineers work together with the product teams to ensure that all of Stuffix’s code and infrastructure follows a secure development lifecycle process.
Infrastructure
Stuffix’s application and data infrastructure is hosted at Amazon Web Services (AWS) and Hivelocity, both highly scalable platforms with end-to-end security and extensive privacy features.
Designed with redundancy, fault tolerance and disaster recovery management, our services are distributed across three separate availability zones (data centers). All our infrastructure is within our virtual private cloud (VPC) with production access authorized to only to operation-specific support staff. This allows us to offer complete firewall protection, private IP addresses and similar security features.
For more information about AWS security, please refer to https://aws.amazon.com/security/.
Uptime
We ensure to the best of our ability maximum uptime across all of our products. To accomplish that, we host our monitoring and logging systems outside of AWS and employ a number of tools to accurately monitor and report on any anomaly that could impact the delivery of our services.
Data Center
All data is stored in AWS and Hivelocity infrastructure, housed in Amazon-controlled data centers. Only those within Amazon and Hivelocity who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves secured with a variety of physical controls that prevent unauthorized access.
Application
We enforce the same level of encryption used by banks and financial institutions. Through the use of both automated and manual analyses, as well as constant security review of 3rd party libraries, we ensure to the best of our abilities that we are delivering products that are free from security flaws. Additionally, we support a number of security focused features to help keep your data safe.
All Stuffix web application communications are PCI compliant
Data encryption – All customer data is encrypted at rest including: user email addresses, user passwords, API keys, including 3rd party keys stored by Apps.
All Stuffix web application communications support TLS v1.2, and cannot be viewed by a third party.
Company-specific data is kept separate through logical separation at the data tier, based on application-level access permissions and roles.
IP Restrictions – This feature allows you to limit access to your Stuffix account to a predefined list of IP addresses.
Email Security
Stuffix supports TLS encryption on all inbound and outbound email. For an explanation of how email encryption works, we recommend this overview from Google.
Engineering and Operational Practices
We design all services with maximum availability in mind. In order to achieve this goal, we follow a number of engineering best practices
Immutable infrastructure – We don’t make changes to live code or running servers in production. Where applicable, we treat both our software and our infrastructure as code. This means that all changes go through a formal code review, automated testing and automated deployment process.
Continuous integration and delivery – We are using continuous integration and deployment automation and configuration management tools to build, test and deploy code multiple times a day.
Incident response – Our infrastructure and security team is on a rotating on-call schedule to respond to any security or availability incidents immediately.
Security audits – Every year we have an independent security firm execute a white-box penetration test audit across our system and code base.
Monthly PCI scanning – We run a PCI scan every month to maintain ongoing Level 1 PCI compliance, adhering to stringent industry standards for storing, processing and transmitting credit card information online. In addition to encrypting customer payment information. Once discovered, any vulnerability is prioritized, resolved and deployed as soon as possible.