View live system status

Security, privacy, and assurance

See how Stoatify keeps
your documents private.

Review the architecture, access controls, subprocessors, and security documents behind the Stoatify vault.

API proxiedFile delivery
Organization scopedTenant boundary
Short-livedContent tokens
United StatesData residency

Security architecture

Every file request passes the same security checks.

Stoatify treats the API as the enforcement point. Identity, organization membership, authorization, document state, and file delivery are checked at the server boundary.

Core data path

Files move through the authenticated API.

Every byte flows through the authenticated API, from upload validation to previews and downloads.

01BrowserVerified session
03MetadataOrganization scoped
04File storageServer credentials
01

Authenticated file delivery

Uploads, previews, and downloads pass through the Stoatify API. Storage credentials and bucket endpoints stay server-side.

02

Tenant isolation

Every request resolves an organization scope from the verified identity and checks membership before accessing organization data.

03

Layered authorization

Organization roles, object permissions, groups, and document ACLs are evaluated together, with inaccessible records returning no existence signal.

04

Short-lived capabilities

Embedded previews and downloads use signed, document-specific tokens, with live state checks that stop access after deletion or revocation.

05

Managed deletion

Documents move through a defined trash lifecycle. Automated workers permanently purge expired records and associated file bytes.

06

Identity verification

Stoatify verifies signed identity tokens and derives the user identity from the token subject, never from client-supplied user identifiers.

Assurance library

Security documents for your review.

Public attestations are available directly. Detailed questionnaires and operating policies require a work email.

PublicNo access request required
Public attestationComing soon

MVSP Self-Attestation

Stoatify's assessment against the Minimum Viable Secure Product baseline controls.

In preparation
Operational transparencyLive

System Status

Current availability, active incidents, and service history for Stoatify.

Controlled accessWork email required when available
Security questionnaireComing soon

CSA CAIQ v4

Detailed answers covering cloud controls, data handling, encryption, and infrastructure.

In preparation
Security questionnaireComing soon

VSA Core

Vendor Security Alliance assessment of data protection, access control, and vulnerability management.

In preparation
Operating policyComing soon

Information Security Policy

Governance for production security, access, key management, and risk management.

In preparation
Operating policyComing soon

Data Deletion and Retention Policy

Document lifecycle, trash retention, permanent purge, and backup handling practices.

In preparation
Operating policyComing soon

Incident Response Plan

Detection, containment, investigation, communication, and recovery procedures.

In preparation

Subprocessors

Service providers and the work they perform.

Stoatify uses a focused set of service providers to operate the platform. All customer data is stored in data centers located in the United States.

ProviderPurposeData involved
01RailwayApplication hosting and runtime infrastructureService and operational data
02CloudflareNetwork edge and traffic protectionNetwork and request metadata
03StripeSubscription billing and payment processingBilling and transaction data
04Backblaze B2Encrypted object storageCustomer file content
05ClerkAuthentication and identity managementAccount and authentication data

Have a security question?

Talk directly with our team.

For questionnaires, architecture questions, vulnerability reports, or procurement reviews, contact Stoatify security.

security@stoatify.com