- Third-party Security Testing
- Server Security
- Communications Security
- Client Security
- User Identification and Authentication
- Third-party Access
StatX success depends on the confidence and trust its users have in the company’s security policies, practices, and technology safeguards. To that end StaX focuses its strategy on two primary objectives. First, StatX focuses on hardening its security posture against external attacks on its technology platform, including its client, server, and communications infrastructure. Second, StatX is committed to being an exemplary custodian of user data to ensure that privileged internal user actions and system processes will not be used to compromise any client’s personal data privacy.
The following is a summary of steps, measures, policies, and technologies put in place in support of these objectives.
Third-party Security Testing
StatX has satisfied the rigorous testing required by Intuit to be listed in the QuickBooks Online App partner directory and to be listed as a Salesforce AppExchange partner.
About Intuit QuickBooks Online App Testing
Intuit testing was completed in order for StatX to be published on the QuickBooks app store. The testing focuses on rigorous analysis of the server infrastructure (including app server configuration and attack vulnerability), as well as client-side handling of financial information. Because of the sensitivity of the data being accessed and shared, both server and client-side security postures are held to the same standard. Vendors must not only meet these requirements at the time of publication, but continuously after publishing. Intuit checks all apps annually to ensure that they still meet the technical and security standards requirements. You can learn more about Intuit QuickBooks Online App testing program and requirements here.
About Salesforce AppExchange Testing
The Salesforce AppExchange is one of the most trusted cloud application ecosystems as a result of its rigorous security review process which helps build a culture of trust by ensuring that all applications meet a set of security standards and best practices. The security review process is comprised of two types of assessments. The first is a qualitative, question and answer round to review policies and procedures. The second is quantitative and focuses on network and application security testing. The approach is to test all parts of the offering to ensure that mutual customers and their data are not put at risk. You can learn more about the approach and scope of the review here.
StatX server security is based on two primary factors. First, the server is hosted by Amazon Web Services (AWS) which provides multiple physical and virtual layers of protection. Second, StatX leverages Amazon Relational Data Services (RDS) Encryption which ensures that all data stored in the server database is encrypted at rest.
About AWS Server Security
All AWS-hosted servers benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. AWS provides several security capabilities and services to increase privacy and control network access. These include network and application firewalls, encryption in transit with TLS across all services, and adherence to dozens of compliance programs. You can learn more about general AWS security here.
Amazon RDS Encryption provides an additional layer of data protection by securing data from unauthorized access to the underlying storage. Data that is encrypted at rest includes the underlying storage of the StatX DB instance, its automated backups, Read Replicas, and snapshots. Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt data on the server. Once data is encrypted, Amazon RDS handles access authentication and decryption of data transparently with a minimal impact on performance. You can learn more about Amazon RDS encryption here.
All client-server communication is SSL encrypted. As a result, you can be assured that nobody can eavesdrop on conversations or intercept data in the clear, and your communications are not vulnerable to threats like replay attacks.
StatX is architected from the ground up to rigorously manage user data and mitigate the risks of privacy being compromised. The key architectural factors that ensure maximum data privacy can be partitioned into two categories as follows:
User Contact Information
- User contact lists are NOT uploaded to the server (unlike many popular messaging apps). When a user shares contact information from their address book, StatX does not get access to the entire contact list. Only individually selected phone numbers are sent to StatX for the purpose of completing user-initiated/authorized transactions to invite members to a Group.
- StatX does not enable any ability for user discovery. Users are not searchable and can only be added to private group if they are invited by an already authenticated user and the inviter knows the invitees mobile phone.
- Followers of Public Groups do not have their phone numbers exposed to any other follower or to any Admin or member of the group.
- Followers of Public Groups that choose to start a chat with an Admin do not expose their phone numbers to the Admin.
- No user-created data (information stored in stats, notes, attachments, chat etc.) is stored in user’s mobile phone flash (persistent) storage. Only credentials are stored and in an encrypted state.
- There is strong isolation of user Group data and private groups can not be discovered. A member must be invited to a group to know it exists.
User Identification and Authentication
Users identify themselves to the StatX app using their mobile number as their unique ID. Initial authentication requires entering a securely generated code communicated via SMS. There is no reliance on passwords.
StatX does not support any third-party advertising on its platform and there is no-third party access to any user data. StatX does not sell user sign-in or user created data to any third parties. The StatX business model relies on growth of its user base and direct charges for its SaaS service paid by Admins of private and public groups.