We publish how we handle and protect your data.
All communications are encrypted with TLS 1.2 or higher. HTTP redirects to HTTPS.
Database and object storage use AES-256 provider-level encryption at rest.
For Enterprise authenticated scanning, the browser extension performs AES-GCM 256-bit encryption client-side before transmitting session cookies to STLUR servers. Encryption keys use a two-layer architecture (HKDF-derived from an installation token), so a storage breach alone cannot decrypt credentials. Plaintext credentials exist only in memory during scan execution and are discarded immediately after.
Row-Level Security (RLS) ensures each user accesses only their own data. Admin interfaces are MFA-protected private endpoints.
STLUR runs automated monthly ZAP/Nuclei scans on its own infrastructure and remediates critical findings within 30 days.
We are currently preparing for SOC 2 Type I. STLUR reports assist with SOC 2 TSC evidence collection; they are not STLUR's own SOC 2 opinion letter. We will publish it upon certification.
STLUR reports automate evidence collection for the following TSC items. STLUR itself does not issue a SOC 2 opinion letter.
| TSC | Criteria | Status |
|---|---|---|
| CC6.1 | Logical Access Control | Covered |
| CC6.6 | Vulnerability Management | Covered |
| CC6.7 | Transmission Security | Covered |
| CC4.1 | Continuous Monitoring | Partial |
| A1.2 | Availability Monitoring | Partial |
| CC1–CC9 | Full COSO Criteria (Type II) | Planned |
Customer data is primarily processed and stored in the US (database & authentication) and the Asia-Pacific region (security scan execution). Edge cache may temporarily hold data across the global network. Scan results (vulnerability data) are stored encrypted with AES-256 in object storage.
Third-party service providers STLUR uses for data processing.
| Provider Type | Purpose | Location |
|---|---|---|
| Database & Authentication Provider | Customer data storage & user authentication | US |
| Edge Network & Storage Provider | CDN, edge compute, object storage & DNS | Global |
| Frontend Hosting Provider | Web application hosting & delivery | Global |
| Cloud Computing Provider | Security scanner execution (isolated containers) | Asia-Pacific |
| Payment Processing Provider | Payment processing & billing | US / EU |
| AI Processing Provider | Report summary generation (text only, no customer PII) | US |
| Email Delivery Provider | Transactional email delivery | US |
The database performs daily automated backups with up to 7-day point-in-time recovery (PITR).
Scan results are retained for at least 13 months (used for year-over-year delta).
A public status page is in preparation. It will be linked here once available.
We provide a Data Processing Agreement (DPA) compliant with GDPR, CCPA, and APPI upon request. Submit the form below or contact security@stlur.app directly. We typically respond within 2 business days.
Please send the following information to security@stlur.app: Company name, contact person, email address, applicable jurisdiction (EU / US / JP etc.), and intended use case.
Request a DPAIf you discover a vulnerability in STLUR's services, please report it to security@stlur.com. We follow responsible disclosure and aim to respond within 90 days of receipt.
Last updated: 2026-04-17