Skip to main content
Stillway

Security at Stillway

Last updated: March 1, 2026

We take security seriously. This page describes how Stillway protects your data and our platform.

Infrastructure Security

Cloud Environment

Stillway runs on Amazon Web Services (AWS) in the US-East-1 region. Our infrastructure is deployed within a Virtual Private Cloud (VPC) with strict network access controls. Application servers are in private subnets and are not directly accessible from the internet.

Network Controls

  • Firewalls: All inbound traffic is filtered through AWS Security Groups and Network ACLs.
  • WAF: A Web Application Firewall (AWS WAF) protects our API from common web attacks (OWASP Top 10).
  • DDoS Protection: AWS Shield Standard provides protection against common DDoS attacks.

Data Security

Encryption

  • In transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher. We enforce HTTPS across all endpoints.
  • At rest: Data stored in our database (PostgreSQL on Amazon RDS) is encrypted at rest using AES-256 encryption.
  • Backups: Database backups are encrypted and stored in a separate AWS region.

Access Controls

  • Employee access to production systems is restricted to personnel with a documented business need.
  • We use multi-factor authentication (MFA) for all production system access.
  • Access is reviewed quarterly and revoked promptly upon employee departure.

Secrets Management

Application secrets (API keys, credentials) are stored in AWS Secrets Manager, not in code or environment variables. Secrets are rotated on a defined schedule.

Application Security

Secure Development

  • Security requirements are incorporated into our development process.
  • Code changes are reviewed by at least one other engineer before deployment.
  • We follow OWASP secure coding guidelines.

Vulnerability Management

  • We conduct regular automated security scans of our codebase and dependencies.
  • Third-party penetration testing is conducted at least annually.
  • Identified vulnerabilities are triaged and remediated according to severity.

Dependency Management

  • We monitor third-party dependencies for known vulnerabilities using automated tooling.
  • Critical vulnerabilities in dependencies are patched within 48 hours.

Incident Response

Stillway maintains a formal incident response plan. In the event of a security incident:

  1. Detection: Anomalies are detected through automated monitoring and alerts.
  2. Containment: Affected systems are isolated to prevent spread.
  3. Investigation: Root cause analysis is performed.
  4. Notification: Affected parties are notified in accordance with applicable law and our Data Processing Agreement (within 72 hours for data breaches).
  5. Remediation: Vulnerabilities are addressed and systems restored.
  6. Post-incident review: Lessons learned are documented and applied.

Payment Security

Stillway does not store payment card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Stillway is PCI DSS SAQ-A compliant.

Responsible Disclosure

If you believe you have discovered a security vulnerability in Stillway, please report it to us at security@stillway.ai. We ask that you:

  • Provide sufficient detail to reproduce the issue.
  • Do not access, modify, or delete data that is not yours.
  • Do not disclose the vulnerability publicly until we have addressed it.

We will acknowledge receipt within 48 hours and work with you to address the issue promptly. We appreciate responsible disclosure and will credit researchers who report valid vulnerabilities.

Contact

Security team: security@stillway.ai

For urgent security matters, please include "URGENT" in the subject line.