Security & GDPR FAQs

ShortStack is hosted on Amazon Web Services (AWS) infrastructure in secure, SOC 2 Type II certified data centers located in the United States. We utilize multiple availability zones for redundancy and high availability.

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. We implement end-to-end encryption for sensitive data transmission and storage.

Our infrastructure providers maintain SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. We conduct regular third-party security audits and penetration testing.

We use AWS CloudFront and AWS WAF (Web Application Firewall) to detect and mitigate distributed denial-of-service attacks. Our infrastructure automatically scales to handle traffic spikes.

Access to customer data is strictly limited to authorized ShortStack personnel who require it for their job functions. All employees sign confidentiality agreements and undergo security training.

Yes, we support multi-factor authentication (MFA) for all user accounts. We strongly recommend enabling MFA for enhanced account security.

We implement role-based access control (RBAC) with the principle of least privilege. Access is reviewed every 6 months and immediately revoked upon employee departure. All access is logged and monitored.

Yes, ShortStack is fully compliant with the General Data Protection Regulation (GDPR). We act as a data processor and have implemented all necessary technical and organizational measures to protect EU citizens' personal data.

Yes, our DPA is available to all customers and covers our obligations as a data processor. View our Data Processing Agreement page for full details and to request execution.

As the data controller, you can access, export, and delete data directly through your ShortStack account. For assistance with data subject requests, contact our support team at support@shortstack.com.

Personal data is primarily stored in AWS data centers in the United States. For international transfers, we use Standard Contractual Clauses (SCCs) and participate in the EU-U.S. Data Privacy Framework.

Data is retained for the duration of your subscription. Upon account closure, data is deleted within 90 days unless retention is required by law. Backup copies follow our standard retention schedule.

We implement multiple layers of security including firewalls, intrusion detection systems, regular security audits, penetration testing, and employee security training. We also maintain comprehensive incident response procedures.

In the event of a breach, we will notify affected customers within 48 hours of becoming aware. We will provide details about the breach, affected data, and remediation steps. We also assist with regulatory notifications as required.

Data is automatically backed up daily with encrypted backups stored in multiple geographic locations. Backups are tested regularly to ensure successful restoration if needed.

Yes, you can export all your data at any time through your account dashboard. We provide export functionality in multiple formats including CSV and JSON.

In addition to GDPR, we comply with CCPA (California), PIPEDA (Canada), Australian Privacy Act, UK DPA, Swiss DPA, and participate in the EU-U.S. Data Privacy Framework.

Yes, customers have audit rights as specified in our Data Processing Agreement. We can provide security documentation, certifications, and facilitate audits upon reasonable notice.

We conduct internal security assessments quarterly and engage third-party security firms for annual penetration testing and vulnerability assessments.

Yes, we maintain a responsible disclosure program. Security researchers who discover vulnerabilities can report them to support@shortstack.com. We acknowledge and remediate validated reports promptly.

We use parameterized queries, input validation, output encoding, and Content Security Policy (CSP) headers. Our code undergoes regular security reviews and automated vulnerability scanning.

Passwords are hashed using bcrypt with a high cost factor and per-user salts. We never store passwords in plain text and implement password complexity requirements.

Yes, we use automated tools to continuously scan for vulnerabilities in our code and dependencies. We also conduct manual security code reviews for all significant changes.

Critical security patches are applied within 24 hours of discovery. High-priority patches within 72 hours, and standard patches during regular maintenance windows.

All subprocessors undergo security and privacy assessments before engagement. We maintain a list of approved subprocessors and notify customers of changes. See our Subprocessors page for details.

Subprocessors only access data as necessary to provide specific services (e.g., hosting, email delivery). All subprocessors sign Data Processing Agreements and comply with our security standards.