Stellarbridge
Security
Built for regulated workflows
Stellarbridge is designed to protect the confidentiality, integrity, and availability of customer data through layered technical, organizational, and operational safeguards.
Last Updated: January 15, 2026
Shared responsibility
Security works best as a partnership. Stellarbridge secures the platform and operational processes, while Customers are responsible for how they configure access, classify data, and manage users inside their own organization.
Security at a glance
Strong cryptography for data in transit and at rest.
- TLS 1.2+ for data in transit
- AES-256 (or equivalent) for data at rest
- Key rotation based on cryptoperiod and risk
Least-privilege access with regular reviews.
- MFA and SSO support
- Role-based access control (RBAC)
- Quarterly access reviews for internal systems
Defense-in-depth networking controls.
- Firewall/WAF controls for internet-facing traffic
- Geo-blocking (US/CA allowlist) and Tor exit node blocking at the edge
- Network segmentation and restricted ports (least functionality)
Security practices built into how we ship.
- Dev and production environments are logically separated
- Peer code reviews with OWASP Top 10 in mind
- Change management includes testing and rollback planning
Continuous identification and remediation of risk.
- Periodic vulnerability scans
- Annual third-party security assessments / penetration testing
- Monitoring of CVEs and US-CERT alerts
Detect, respond, and continuously improve.
- Centralized logging and alerting
- Documented incident response plan and Security Response Team (SRT)
- Annual incident response testing (walkthroughs / tabletop exercises)
Resilience planning for outages and disruptions.
- Backups retained for at least 30 days
- Backups are periodically tested for restoration
- Unplanned outages are treated as incidents
Third-party due diligence and ongoing reviews.
- Vendor risk tiering (high/medium/low)
- Annual review cadence for high-risk vendors
- Security and confidentiality commitments in vendor agreements
Strong cryptography for data in transit and at rest.
- TLS 1.2+ for data in transit
- AES-256 (or equivalent) for data at rest
- Key rotation based on cryptoperiod and risk
Least-privilege access with regular reviews.
- MFA and SSO support
- Role-based access control (RBAC)
- Quarterly access reviews for internal systems
Defense-in-depth networking controls.
- Firewall/WAF controls for internet-facing traffic
- Geo-blocking (US/CA allowlist) and Tor exit node blocking at the edge
- Network segmentation and restricted ports (least functionality)
Security practices built into how we ship.
- Dev and production environments are logically separated
- Peer code reviews with OWASP Top 10 in mind
- Change management includes testing and rollback planning
Continuous identification and remediation of risk.
- Periodic vulnerability scans
- Annual third-party security assessments / penetration testing
- Monitoring of CVEs and US-CERT alerts
Detect, respond, and continuously improve.
- Centralized logging and alerting
- Documented incident response plan and Security Response Team (SRT)
- Annual incident response testing (walkthroughs / tabletop exercises)
Resilience planning for outages and disruptions.
- Backups retained for at least 30 days
- Backups are periodically tested for restoration
- Unplanned outages are treated as incidents
Third-party due diligence and ongoing reviews.
- Vendor risk tiering (high/medium/low)
- Annual review cadence for high-risk vendors
- Security and confidentiality commitments in vendor agreements
Strong cryptography for data in transit and at rest.
- TLS 1.2+ for data in transit
- AES-256 (or equivalent) for data at rest
- Key rotation based on cryptoperiod and risk
Least-privilege access with regular reviews.
- MFA and SSO support
- Role-based access control (RBAC)
- Quarterly access reviews for internal systems
Defense-in-depth networking controls.
- Firewall/WAF controls for internet-facing traffic
- Geo-blocking (US/CA allowlist) and Tor exit node blocking at the edge
- Network segmentation and restricted ports (least functionality)
Security practices built into how we ship.
- Dev and production environments are logically separated
- Peer code reviews with OWASP Top 10 in mind
- Change management includes testing and rollback planning
Continuous identification and remediation of risk.
- Periodic vulnerability scans
- Annual third-party security assessments / penetration testing
- Monitoring of CVEs and US-CERT alerts
Detect, respond, and continuously improve.
- Centralized logging and alerting
- Documented incident response plan and Security Response Team (SRT)
- Annual incident response testing (walkthroughs / tabletop exercises)
Resilience planning for outages and disruptions.
- Backups retained for at least 30 days
- Backups are periodically tested for restoration
- Unplanned outages are treated as incidents
Third-party due diligence and ongoing reviews.
- Vendor risk tiering (high/medium/low)
- Annual review cadence for high-risk vendors
- Security and confidentiality commitments in vendor agreements
Platform architecture highlights
Public traffic is routed through an edge proxy that applies security controls before requests reach application services.
- Geo-blocking (US/CA allowlist) and Tor exit node blocking
- Security headers applied to responses
- Structured request logging to support investigations
The application stack is designed to reduce unnecessary runtime components.
- Minimal container images where possible
- No interactive shell in runtime containers
- Read-only filesystem and non-root execution intended for production deployments
Compliance & documentation
We maintain security policies, procedures, and a control mapping aligned to common frameworks (including SOC 2 and HIPAA). Security documentation and supporting evidence available to Enterprise customers under NDA through our trust portal.
Security contact
To report a vulnerability or ask a security question, contact security@stellarbridge.com.