Security

Built for regulated workflows

Stellarbridge is designed to protect the confidentiality, integrity, and availability of customer data through layered technical, organizational, and operational safeguards.

SOC 2-aligned controlsHIPAA-minded operationsPen tests annuallyQuarterly access reviews

Last updated: January 15, 2026

Shared responsibility

Security works best as a partnership. Stellarbridge secures the platform and operational processes, while Customers are responsible for how they configure access, classify data, and manage users inside their own organization.

Security at a glance

Encryption & key management

Strong cryptography for data in transit and at rest.

  • TLS 1.2+ for data in transit
  • AES-256 (or equivalent) for data at rest
  • Key rotation based on cryptoperiod and risk

Identity & access

Least-privilege access with regular reviews.

  • MFA and SSO support
  • Role-based access control (RBAC)
  • Quarterly access reviews for internal systems

Network edge protection

Defense-in-depth networking controls.

  • Firewall/WAF controls for internet-facing traffic
  • Geo-blocking (US/CA allowlist) and Tor exit node blocking at the edge
  • Network segmentation and restricted ports (least functionality)

Secure development lifecycle

Security practices built into how we ship.

  • Dev and production environments are logically separated
  • Peer code reviews with OWASP Top 10 in mind
  • Change management includes testing and rollback planning

Vulnerability & patch management

Continuous identification and remediation of risk.

  • Periodic vulnerability scans
  • Annual third-party security assessments / penetration testing
  • Monitoring of CVEs and US-CERT alerts

Monitoring & incident response

Detect, respond, and continuously improve.

  • Centralized logging and alerting
  • Documented incident response plan and Security Response Team (SRT)
  • Annual incident response testing (walkthroughs / tabletop exercises)

Backups & disaster recovery

Resilience planning for outages and disruptions.

  • Backups retained for at least 30 days
  • Backups are periodically tested for restoration
  • Unplanned outages are treated as incidents

Vendor security

Third-party due diligence and ongoing reviews.

  • Vendor risk tiering (high/medium/low)
  • Annual review cadence for high-risk vendors
  • Security and confidentiality commitments in vendor agreements

Encryption & key management

Strong cryptography for data in transit and at rest.

  • TLS 1.2+ for data in transit
  • AES-256 (or equivalent) for data at rest
  • Key rotation based on cryptoperiod and risk

Identity & access

Least-privilege access with regular reviews.

  • MFA and SSO support
  • Role-based access control (RBAC)
  • Quarterly access reviews for internal systems

Network edge protection

Defense-in-depth networking controls.

  • Firewall/WAF controls for internet-facing traffic
  • Geo-blocking (US/CA allowlist) and Tor exit node blocking at the edge
  • Network segmentation and restricted ports (least functionality)

Secure development lifecycle

Security practices built into how we ship.

  • Dev and production environments are logically separated
  • Peer code reviews with OWASP Top 10 in mind
  • Change management includes testing and rollback planning

Vulnerability & patch management

Continuous identification and remediation of risk.

  • Periodic vulnerability scans
  • Annual third-party security assessments / penetration testing
  • Monitoring of CVEs and US-CERT alerts

Monitoring & incident response

Detect, respond, and continuously improve.

  • Centralized logging and alerting
  • Documented incident response plan and Security Response Team (SRT)
  • Annual incident response testing (walkthroughs / tabletop exercises)

Backups & disaster recovery

Resilience planning for outages and disruptions.

  • Backups retained for at least 30 days
  • Backups are periodically tested for restoration
  • Unplanned outages are treated as incidents

Vendor security

Third-party due diligence and ongoing reviews.

  • Vendor risk tiering (high/medium/low)
  • Annual review cadence for high-risk vendors
  • Security and confidentiality commitments in vendor agreements

Encryption & key management

Strong cryptography for data in transit and at rest.

  • TLS 1.2+ for data in transit
  • AES-256 (or equivalent) for data at rest
  • Key rotation based on cryptoperiod and risk

Identity & access

Least-privilege access with regular reviews.

  • MFA and SSO support
  • Role-based access control (RBAC)
  • Quarterly access reviews for internal systems

Network edge protection

Defense-in-depth networking controls.

  • Firewall/WAF controls for internet-facing traffic
  • Geo-blocking (US/CA allowlist) and Tor exit node blocking at the edge
  • Network segmentation and restricted ports (least functionality)

Secure development lifecycle

Security practices built into how we ship.

  • Dev and production environments are logically separated
  • Peer code reviews with OWASP Top 10 in mind
  • Change management includes testing and rollback planning

Vulnerability & patch management

Continuous identification and remediation of risk.

  • Periodic vulnerability scans
  • Annual third-party security assessments / penetration testing
  • Monitoring of CVEs and US-CERT alerts

Monitoring & incident response

Detect, respond, and continuously improve.

  • Centralized logging and alerting
  • Documented incident response plan and Security Response Team (SRT)
  • Annual incident response testing (walkthroughs / tabletop exercises)

Backups & disaster recovery

Resilience planning for outages and disruptions.

  • Backups retained for at least 30 days
  • Backups are periodically tested for restoration
  • Unplanned outages are treated as incidents

Vendor security

Third-party due diligence and ongoing reviews.

  • Vendor risk tiering (high/medium/low)
  • Annual review cadence for high-risk vendors
  • Security and confidentiality commitments in vendor agreements

Platform architecture highlights

Network edge “choke point”

Public traffic is routed through an edge proxy that applies security controls before requests reach application services.

  • Geo-blocking (US/CA allowlist) and Tor exit node blocking
  • Security headers applied to responses
  • Structured request logging to support investigations

Reduced runtime attack surface

The application stack is designed to reduce unnecessary runtime components.

  • Minimal container images where possible
  • No interactive shell in runtime containers
  • Read-only filesystem and non-root execution intended for production deployments

Compliance & documentation

We maintain security policies, procedures, and a control mapping aligned to common frameworks (including SOC 2 and HIPAA). Security documentation and supporting evidence are available to Enterprise customers under NDA through our trust portal.

Security contact

To report a vulnerability or ask a security question, contact security@stellarbridge.com.

Email Security Privacy Policy