Stellate Security Policies
As a leading innovator in GraphQL edge caching, Stellate recognizes that ensuring security within the caching infrastructure is vital. Security is not only a consideration but a fundamental necessity, given the potential vulnerabilities in GraphQL caching.
Enterprises across the globe trust Stellate to deliver billions of GraphQL queries quickly and securely to their customers. This is a tremendous responsbility and we do our best to keep their traffic safe.
Reporting Security Issues
If you have a security concern, or believe you've found a vulnerability in any part of our system, please contact us. You can reach us at email@example.com, and we can provide you with a Signal number if needed to convey sensitive information.
Stellate follows industry best practices and have significantly reduced our attack surface by building using security focused technology like WASM and Rust.
Review our security compliance and features in the following sections.
Feel free to contact us for more information in the meantime.
Stellate adheres to a number of industry-standard compliance requirements.
Contact us for more details.
Stellate GDPR compliance
All cached data is ephemeral and stored in a region closest to the consumer. We store our metrics data inside EU regions and ephemerally. Computation happens in a region closest to the customer or inside EU.
Stellate PCI compliance
Stellate does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.
Stellate HIPAA compliance
Stellate is currently not HIPAA compliant. Contact us if HIPAA is important for you and we can share more details.
Stellate provides cache and rate limiting services on the edge using Serverless technology, taking advantage of sandboxing and isolation to ensure no two customers share the same virtual machine.
Stellate Encrypts Data
Data is encrypted at in transit (HTTPS / TLS). Where relevant we encrypt data at rest, but generally we opt to not to store sensitive data.
Stellate Does Backup the Data on its Platform
Our current backup interval is every hour and each backup is persisted for one month. Automatic backups are taken without affecting the performance or availability of the database operations. All the backups are stored separately in a storage service, and those backups are globally replicated for resiliency against regional disasters. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Stellate engineering team.
Stellate Uses Multiple Types of Infrastructure
Stellate's platform primarily uses Fastly. Certain features also use CloudFlare and Amazon Web Services (AWS). In the case of an outage with any of the three providers, our network is resilient to regional downtime. Stellate will automatically route traffic to the nearest available edge or region.
Stellate Conducts Regular Penetration Testing and Vulnerability Scans
We conduct regular penetration testing through third-party pen testers. On top of that, we also have daily code reviews, static analysis checks, and dependency vulnerability scans through GitHub, AWS, and Vanta. Our Enterprise customers have access to our latest pen test reports.
Stellate Offers a Bug Bounty Program
We are super thankful for the work security researches do and compensate anyone who discloses novel and important security issues to us. At this time we do not have a pre-defined framework for bounty sizes. We seek to compensate researchers fairly relative to the severity of the issue disclosed. We use CVSS 3.0 and may adjust severity up or down based on business impact. Historically our average bounty has been $250-$500.
List of Stellate Third-party Subprocessors
Stellate uses the following third-party subprocessors:
What types of personal data might be sent using Stellate?
Stellate may include the following kinds of standard personal data and special category data. However, keep in mind that some of the information is optional.
- GraphQL variables. These variables could theoretically contain Personally identifiable information (PII).
- IP of the user making a request.
- UserAgent of the user making a request.
The four data points listed above are optional potential PII. PII is stored for direct users of Stellate (such as a company employee) in the form of their email address and optionally their name when they sign up for an account.
What are the security considerations for the Metrics Logging plugin?
The user or developer setting up the Stellate Metrics Logging Plugin is in full control of what if any personal data gets sent. The plugin does not require any personal data to be sent to provide metrics information.
Does Stellate have access to customer information, or is it just the company staff information? Stellate has access to the following categories of data subjects:
- Name (optional)
- End user / Company Customer
As noted in the first item above, none of the four data points described are required. All are optional should the company choose to set that up for the Metrics Logging Plugin.
If there is any personal data being sent to Stellate, where is this data processed?
Please see the Fastly network map for information about where Stellate data is processed (https://www.fastly.com/network-map/).
Is Stellate a participant in the Data Privacy Framework program (DPF)?
Stellate is not currently a direct participant in DPF. Companies that allow Stellate access to any identifiable information on staff or customers may need to put additional safeguards in place for data transfers under both the UK and EU GDPR.
Please explore the following security topics.