Security Details
Introduction
As a collaborative application that can contain sensitive data, we recognize the importance of excellent security practices. We are a small team, however we work hard to ensure we meet the highest standards of security.
This document gives an overview of our security practices and internal policies. If you are interested in learning what data we collect and store, please visit our privacy page.
General practices
- Access to servers, source code, and third party tools are secured with two-factor authentication.
- We use strong, randomly generated passwords that are never re-used. They are stored in a password manager.
- Employees and contractors are provided the lowest level of access (a.k.a least privelege) that enables them to complete their work. Access to production systems and data is rare, and is limited to engineers on the founding team.
- As a policy, we do not access production data without explicit written consent from you. This access could be related to a bug you reported, for example.
- We never copy production data to external devices (like personal laptops).
- We use automatic security vulnerability detection tools to alert us when a dependency has a known security issue. We apply patches and deploy quickly when an issue is found.
Access control
Our employees sign a contract before gaining access to any sensitive information. Contractors never have access to any sensitive code or information.
Authentication
Our authentication provider is Stytch, a well known auth company that powers many popular websites. We use libraries provided by Stytch to interact with their servers. We update these libraries regularly to stay up-to-date with their latest security measures.
A user's session is valid for a two week rolling window from the last time that they have used the application.
Once a user has authenticated via Stytch, a token is provided in all requests to the API through an Authorization header.
Servers
Stashpad APIs are deployed as Cloudflare Workers. Workers are reachable on a global network provided by Cloudflare. These workers serve websocket connections for a document. Additionally, there is a worker that provides a REST API which is used by the app and integrations within other applications.
Data flows
While one or more users are in a document, a durable object holds a copy of the document and its history in memory. Periodically, and when all users have left the document, the document and its edit history is persisted to R2, Cloudflare's S3-compatible storage implementation. The current document text and metadata is also persisted to a Planetscale database. Metadata, like who owns the document and who can access it are also stored here. Access requests and changes to document permissions are made through the REST API and require a valid token.
Domains & hosting
The Stashpad API and associated infrastructure are hosted on subdomains of the stashpad.live domain. The application requires connection to all subdomains of stashpad.live, and will not work properly if a persistent websocket connection cannot be established.
It is common that a firewall or VPN blocks traffic to unknown domains. If possible, please whitelist *.stashpad.live and *.stashpad.com. If you cannot whitelist a pattern, at a minimum please whitelist:
- api.stashpad.live
- partykit.stashpad.live
- auth.stashpad.com
We would prefer that you whitelist all subdomains in your proxy as we may offer additional APIs necessary for the application to work in the future.
Software development practices
- Code written by any engineer is signed off by at least one other engineer before being committed to the main development branch.
- Code is tested in a staging environment against a QA checklist before releasing. We also have an ever-growing set of integration and unit tests to help catch and prevent bugs earlier in the development cycle.
Vulnerability detection
Both the client and server are scanned for dependencies with known vulnerabilities daily, and before deploying.
When a vulnerable dependency is detected, it is patched and deployed quickly.
Questions
Do you have a question that is not answered here? Please reach out to us at hello@stashpad.com and we'd be happy to answer it!