<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3209473&amp;fmt=gif">
Skip to content
English - United States
Contact us
  • There are no suggestions because the search field is empty.

Styku Data Processing Agreement — Annex 2 Security Measures: Access Control

Styku Data Processing Agreement — Annex 2 Security Measures: Access Control

Summary

Styku employs layered access controls to protect Customer Personal Data, including password policies, multi-tenant authorization models, API access controls, and just-in-time (JITA) privileged access management. Product infrastructure is hosted with SOC 2 Type II and ISO 27001 audited cloud providers. Only a limited subset of Styku employees can access customer data, and all such access is logged and reviewed regularly.

Full Policy Text

Annex 2 - Security Measures

We currently observe the Security Measures described in this Annex 2. We maintain and adhere to an internal, written Information Security Policy.

i) Preventing Unauthorized Product Access

Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers' data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems. The infrastructure providers' physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing Customer Personal Data in their Styku account.

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user's permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using Oauth authorization or private app tokens.

ii) Preventing Unauthorized Product Use

We implement industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.

Endpoint Hardening: Endpoints are hardened in accordance with industry standard practice. Workstations are protected using anti-malware and endpoint detection & response tools, receiving regular definition and signature updates.

iii) Limitations of Privilege & Authorization Requirements

Privileged Access Management: Privileged access in our product environment is controlled, monitored, and removed in a timely fashion through "just in time access" (or "JITA") controls. Non-personal accounts used for system access are stored in a secure vault with additional controls governing privilege elevation and account check out processes.

Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through JITA requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Administrative or high risk access permissions are reviewed at least once every six months.

Applies to: All Styku customers