At Sturdy, the security and integrity of our customer's information is of utmost importance. Therefore, Sturdy has developed and maintains a comprehensive Information Security Management program to manage risks to the security, availability, confidentiality, integrity, and privacy of Sturdy systems and products. Our program has been independently audited and certified to meet the requirements of Trust Services Criteria SOC2 Type II.

Questions and concerns about Sturdy Security can be submitted to security @ sturdy.ai.

Sturdy products utilize customer communication data to detect important signals that may have private information included such as names and contact information. To protect the privacy of this information, we maintain policies and processes to comply with data privacy regulations such as CCPA and GDPR and to help our customers comply with their obligations as the controllers of this data. Please see the Sturdy privacy policy for more information on data privacy practices and controls.

Sturdy utilizes Amazon Web Services (AWS) as the Infrastructure-as-a-Service hosting provider. All data stored in AWS data centers located in the United States. Communications into our services are encrypted-in-transit and data is stored encrypted-at-rest using industry standard encryption mechanisms. Web application firewalls and network management tools such as VPC's, private subnets, and security groups are used to manage the flow of information and access between services. Infrastructure services are defined, managed, and deployed with Infrastructure-as-Code orchestration tools for consistent and repeatable systems.

Tenant data is isolated in separate systems and production systems are kept in restricted access accounts separated from the development environments. 3rd-party penetration testing is conducted annually.

Sturdy products are designed with security in mind from the architecture phase. Development teams follow an agile Software Development Life Cycle comprised of source code configuration management, integrated peer review processes, and multi-stage/multi-environment continuous integration including automated unit, functional, and integration testing and security scanning.