Compliance for customers and partners
Security and Compliance is a shared responsibility between Stax, AWS and the customer. Stax takes compliance seriously and understands its significance to both our customers and partners. For this reason, Stax has obtained independent third-party auditor certification with the AICPA's SOC for Service Organizations, SOC 2 Type II. Further, Stax is continually rolling our SOC2 Type II audits each year so that we maintain a high-level of security throughout our product, services and internal operations of our company.
You can request our SOC 2 Type II report via your Customer Success Manager or raise a support case within Stax.
Security practice at Stax
Stax information security program is based on a continual lifecycle of improvement through measured Risk, Execution (Policies, Controls & Capabilities), Operation and Assurance Testing cycles to inform risk with baseline coverage and efficacy of controls and capabilities.
Identity and Access Management
Internally within Stax
The Stax Information Security Policy sets out functional security objectives for the control of identities, including privileged identities. This is a core pillar of Stax Security, as such centralized Identity and Access Management (IDAM) is functionally integrated with all the key applications and services and the Zero Trust Network solution that protects the Stax Information Asset pool.
Identity and Access Management encompasses, personnel screening, re-screening, Identity Account management, provisioning, multi-factor authentication, least privilege, frequent user access reviews, and account off boarding.
Note: Identity Management for Stax Customers is explained in the Identity and Access section of the documentation.
Zero Trust Network
Stax uses its Zero Trust Network solution that has integrated Endpoint Threat Detection and Response as well as Multi-Factor Authentication. Users are required to authenticate the device onto the Zero Trust network using MFA. User and the device posture (via Zero Trust Assessment) governs what Key applications and systems a given device (and user) is authorized to access based on the security posture of the device and privileges of the identity.
Security Training and Developer Assessments
Security Training is required for all Stax staff by policy, the standard security awareness training is required to be completed annually.
Technical Teams are required to additionally undertake advanced security training that contains specific content for secure coding that follows the OWASP top 10. Advanced Secure Coding assessment must be completed each year in addition to the standard security awareness training.
Change Management
Stax adheres to an agile change management process that encompasses the entire development and release lifecycle. Change is subject to quality assurance, peer review and approval before being released into production. All change is documented and prioritized based on capacity, necessity, and strategic direction. Major changes are planned, penetration tested before release into production and noted in the Stax changelog.
Code Protection
Multi-factor authentication is used to access the various Stax code repositories. Every pull request must be signed and goes through a peer review that is required to be approved for merge to master by designated code-owners, whether it's a new feature or bug fix. Further, every merged PR is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code being merged.
Vulnerability Management
Stax has integrated vulnerability management controls whose purpose is to ensure Stax systems that service Stax core infrastructure are designed and engineered securely.
Vulnerability Management spans the entire Stax Information Asset pool, including:
- Endpoint devices for the fleet, integrated into the zero trust network
- Scanning of Stax Web Consoles, API’s, and Containers.
- Compliance scans of Stax AWS accounts for secure configuration aligned to CIS Benchmark.
- Code Scanning and 3rd Party libraries
Vulnerability Management is also integrated into the CI/CD Process with scanning of Containers, 3rd-party libraries and code scanning of Stax' core components.
Logging, Monitoring and Security Incident Response
Stax uses a centralized logging and monitoring service to aggregate events and alerts (as per the Stax Responsibility matrix) from key applications and services to provide telemetry for anomaly detection based on common use cases, indicators of compromise, policy violations and other operational thresholds. Stax monitors systems with automated alarms based on Threat Risk and are integrated with PagerDuty incidents.
Stax Security acknowledge bug bounty reports from independent security researchers, however Stax does not offer financial rewards for reports.
Security Testing and 3rd Party Assurance
Security Testing
Stax uses external certified penetration testing services to perform penetration tests on the Stax platform, including internal, external, network segmentation and web application testing of all consoles and APIs. This is governed by the security team as part of mandatory compliance testing and is performed at least twice a year as required by Stax' compliance objectives.
Third Party Assurance
As a cloud native subservice organization, Stax must ensure that security of the Stax Information Assets encompasses third-party systems that either provide services to Stax as a business system or form part of the Stax Product Service offerings.
The Stax 3rd party assurance is required by policy to engage with a third-party service provider. Due diligence must be undertaken to ensure the service provider abides by adequate controls and any threats are identified with threat risk assessments and mitigating controls. With mitigating controls commensurate to the highest level of data classification with the service; The Information Classification and Handling policy asserts the Key Services Classification and Controls Mapping to further align business criticality with controls.
| Service | Security Information |
|---|---|
| AWS | https://aws.amazon.com/compliance/ |
| Qualys | https://www.qualys.com/company/privacy/ |
| Datadog | https://www.datadoghq.com/security |
| PagerDuty | https://www.pagerduty.com/security/ |
| Zendesk | https://www.zendesk.com/au/trust-center/ |
| Jira ServiceDesk | https://www.atlassian.com/trust/compliance |
| Salesforce | https://compliance.salesforce.com/en |