Stairwell Security Statement

This Security Statement provides you with information about our security infrastructure and practices. Our privacy policy contains additional information about how we handle the data that we collect.


ISO/IEC 27001 and ISO/IEC 27701

Stairwell is ISO/IEC 27001:2013 and ISO/IEC 27701:2019 certified. Our certificate is available here and our certification report is available on request.


Stairwell has been audited against the AICPA’s 2017 Trust Services Criteria for Security. In all material respects:

  • The [System Description] presents Stairwell’s Cybersecurity Services System…in accordance with the description criteria.
  • The controls stated in the description were suitably designed.
  • The controls stated in the description operated effectively.

Please contact us to request access to our complete SOC 2, Type II, report.

Information Security Policy

Stairwell maintains a written Information Security Policy (“Policy”) that defines employees’ responsibilities and acceptable use of information system resources. We receive signed acknowledgment from employees indicating that they have read, understand, and agree to abide by the rules of behavior before we provide them authorized access to Stairwell information systems. This Policy is periodically reviewed and updated as necessary.

Personnel Security

Stairwell employees are required to conduct themselves in a manner consistent with the company’s guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly-hired employees are required to sign confidentiality agreements and to acknowledge the Stairwell code of conduct. The code outlines the company’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the users of the company’s products, as well as the company’s partners and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.

Employees are provided with security training as part of new hire orientation and annually thereafter.

Physical & Environmental Security

Our information systems and infrastructure are hosted on the Google Cloud Platform (GCP). Please refer to Google’s Infrastructure Security Design Overview document for an overview of how security is designed into Google’s technical infrastructure.

Change Management

Stairwell maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the expected changes are operating as intended.

Supplier and Vendor Relationships

Stairwell likes to partner with suppliers and vendors who operate with the same or similar values around lawfulness, ethics, and integrity that we do. Suppliers and vendors are screened as part of our initial engagement process and then bound to appropriate confidentiality and security obligations.

Auditing and Logging

We maintain audit logs on our corporate, production, and software supply chain systems. These logs provide an account of which personnel have accessed which systems.

Data Protection

Stairwell continually works to develop products that support the latest recommended security best practices. We monitor the changing security landscape closely and work to upgrade our products to respond to new weaknesses as they are discovered and implement best practices as they evolve.

Vulnerability Management

We conduct security assessments to identify vulnerabilities and to determine the effectiveness of our patch management program. Each vulnerability is reviewed to determine if it is applicable, ranked based on risk, and assigned to the appropriate team for remediation.

Secure Network Connections

HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients.

Role-Based Access

Role-based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know/least privilege basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.

Authentication and Authorization

We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password policies enforce the use of complex passwords, which are deployed to protect against unauthorized use of passwords.

Stairwell employees are granted a limited set of default permissions to access company resources, such as their email and the corporate intranet. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines.

Software Development Lifecycle

We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our products. Our products are deployed on an iterative, rapid-release development lifecycle. Stairwell maintains separate development and production environments. Security and security testing are implemented throughout the entire software development methodology. Quality assurance is involved at each phase of the lifecycle, and security best practices are a mandated aspect of all development activities.

Incident Management

Stairwell has a formalized incident response plan (“Incident Response Plan”) and associated procedures in case of an information security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.

Business Continuity and Disaster Recovery

To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program that includes multiple components to minimize the risk of any single point of failure. For business-critical applications, application data is replicated to multiple systems and/or locations to provide adequate redundancy and high availability.

Data Privacy

We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures. Any non-public information Stairwell may process, handle, or store is encrypted at rest.

We give additional attention and care to sensitive personal data and respect local laws and customs, where applicable.

Stairwell only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized in accordance with our privacy policy. We take all reasonable steps to protect information we receive from our users from loss, misuse, or unauthorized access, disclosure, alteration, and/or destruction.

Responsible Disclosure

Stairwell acknowledges the valuable role that independent security researchers play in security and, as a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Stairwell is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.

If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines contained in our Vulnerability Disclosure Policy.