Security and Compliance is a shared responsibility between Stax, AWS and the customer. Stax take compliance seriously and understand its significance to both our customers and partners. For this reason, Stax has obtained independent third-party auditor certifications with Payment Card Industry Data Security Standard as a PCI-DSS Service Provider, and the AICPA's SOC for Service Organizations, SOC 2 Type II. Further, Stax is continually rolling our SOC2 Type II audits each year so that we maintain a high-level of security throughout our product, services and internal operations of our company.
You can request our PCI-DSS AoC, SAQ-D and Responsibility Matrix or SOC 2 Type II report via your Customer Success Manager.
Acknowledgement of PCI Service Provider Responsibilities
As a PCI-DSS service provider, the Stax team acknowledges our shared responsibility to the extent that it could impact the security of the customer’s cardholder data environment. For further information please consult the Stax PCI Responsibility Matrix.
Security Practice at Stax
Stax information security program is based on a continual lifecycle of improvement through measured Risk, Execution (Policies, Controls & Capabilities), Operation and Assurance Testing cycles to inform risk with baseline coverage and efficacy of controls and capabilities.
Identity and Access Management
Internally within Stax
The Stax Information Security Policy sets out functional security objectives for the control of identities, including privileged identities. This is a core pillar of Stax Security, as such centralized Identity and Access Management (IDAM) is functionally integrated with all the key applications and services and the Zero Trust Network solution that protects the Stax Information Asset pool.
Identity and Access Management encompasses, personnel screening, re-screening, Identity Account management, provisioning, multi-factor authentication, least privilege, frequent user access reviews, and account off boarding.
Note: Identity Management for Stax Customers is explained in the Identity and Access section of the documentation
Zero Trust Network
Stax uses its Zero Trust Network solution that has integrated Endpoint Threat Detection and Response as well as Multi-Factor Authentication. Users are required to authenticate the device onto the Zero Trust network using MFA. User and the device posture (via Zero Trust Assessment) governs what Key applications and systems a given device (and user) is authorised to access based on the security posture of the device and privileges of the identity.
Security Training and Developer Assessments
Security Training is required for all Stax staff by policy, the standard security awareness training is required to be completed annually.
Technical Teams are required to additionally undertake advanced security training that contains specific content for secure coding that follows the OWASP top 10. Advanced Secure Coding assessment must be completed each year in addition to the standard security awareness training.
Change Management
Stax adheres to an agile change management process that encompasses the entire development and release lifecycle. Change is subject to quality assurance, peer review and approval before being released into production. All change is documented and prioritized based on capacity, necessity, and strategic direction. Major changes are planned, penetration tested before release into production and noted in the Stax changelog.
Code Protection
Multi-factor authentication is used to access the various Stax code repositories. Every pull request must be signed and goes through a peer review that is required to be approved for merge to master by designated code-owners, whether it's a new feature or bug fix. Further, every merged PR is automatically subjected to a pipeline of rigorous tests and analysis as appropriate for the code being merged.
Vulnerability Management
Stax has integrated vulnerability management controls whose purpose is to ensure Stax systems that service Stax core infrastructure are designed and engineered securely.
Vulnerability Management spans the entire Stax Information Asset pool, including:
- Endpoint devices for the fleet, integrated into the zero trust network
- Scanning of Stax Web Consoles, API’s, and Containers.
- Quarterly PCI ASV Scans
- Compliance scans of Stax AWS accounts for secure configuration aligned to CIS Benchmark and PCI compliance.
- Code Scanning and 3rd Party libraries
Vulnerability Management is also integrated into the CI/CD Process with scanning of Containers, 3rd-party libraries and code scanning of Stax' core components. This is governed as part of PCI related operational activities for modules such as, but not limited to, those related to the Stax control plane.
Logging, Monitoring and Security Incident Response
Stax uses a centralised logging and monitoring service to aggregate events and alerts (as per the Stax Responsibility matrix) from key applications and services to provide telemetry for anomaly detection based on common use cases, indicators of compromise, policy violations and other operational thresholds. Stax monitors systems with automated alarms based on Threat Risk and are integrated with PagerDuty incidents. Stax Security exploit bug bounty program acknowledges and rewards the work independent security researchers do by flagging vulnerabilities Stax might not be aware of. We look at each vulnerability on a case-by-case basis.
