Security at Stellate

Enterprises across the globe trust Stellate to deliver billions of GraphQL queries quickly and securely to their customers. This is a tremendous responsbility and we do our best to keep their traffic safe.

Reporting issues: If you have a security concern, or believe you've found a vulnerability in any part of our system, please contact us. You can reach us at, and we can provide you with a Signal number if needed to convey sensitive information.

Stellate follows industry best practices and have significantly reduced our attack surface by building using security focussed technology like WASM and Rust. As a result we have been able to obtain SOC 2 Type II compliance.

We are continuing to improve this security page. Feel free to contact us for more information in the meantime.

Frequently Asked Questions

Stellate provides cache and ratelimiting services on the edge using Serverless technology, taking advantage of sandboxing and isolation to ensure no two customers share the same virtual machine.

Is Stellate SOC2 compliant?

Stellate is SOC2 Type II certified as part of our dedication to maintaining the highest standards of data protection and operational excellence for our customers. Stellate has obtained accreditation of our compliance with independent auditors. For more info about our SOC2 report, prospects and customers can reach out to

Is Stellate GDPR compliant?

Yes. For more information, see our Privacy Policy. All cached data is ephemeral and stored in a region closest to the consumer. We store our metrics data inside EU regions and ephemerally. Computation happens in a region closest to the customer or inside EU.

Is Stellate HIPAA compliant?

Stellate is currently not certified as HIPAA compliant. Contact us if HIPAA is important for you and we can share more details.

Is Stellate PCI compliant?

Stellate does not store personal credit card information for any of our customers. We use Stripe to securely process transactions and trust their commitment to best-in-class security. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.

Does Stellate encrypt data?

Yes. Data is encrypted at in transit (HTTPS / TLS). Where relevant we encrypt data at rest, but generally we opt for not to storing sensetive data.

Does Stellate backup the data on its platform?

Yes. Our current backup interval is every hour and each backup is persisted for 1 month. Automatic backups are taken without affecting the performance or availability of the database operations.

All the backups are stored separately in a storage service, and those backups are globally replicated for resiliency against regional disasters. If a database instance is deleted, all associated backups are also automatically deleted. Backups are periodically tested by the Stellate engineering team.

What infrastructure does Stellate use?

Stellate's platform primarily uses Fastly. Certain features also use CloudFlare and Amazon Web Services (AWS). In the case of an outage with any of the three providers, our network is resilient to regional downtime. Stellate will automatically route traffic to the nearest available edge or region.

Do you have a bug bounty program?

Yes. We are super thankful for the work security researches do and compensate anyone who discloses novel and important security issues to us.

At this time we do not have a pre-defined framework for bounty sizes. We seek to compensate researchers fairly relative to the severity of the issue disclosed. We use CVSS 3.0 and may adjust severity up or down based on business impact.

Historically our average bounty has been $250-$500.

Do you conduct regular penetration testing and vulnerability scans?

Yes. We conduct regular penetration testing through third-party pen testers. On top of that, we also have daily code reviews, static analysis checks, and dependency vulnerability scans through GitHub, AWS, and Vanta. Our Enterprise customers have access to our latest pen test reports.

Do you use any third-party subprocessors?