Authenticated file delivery
Uploads, previews, and downloads pass through the Stoatify API. Storage credentials and bucket endpoints stay server-side.
Security, privacy, and assurance
Review the architecture, access controls, subprocessors, and security documents behind the Stoatify vault.
Security architecture
Stoatify treats the API as the enforcement point. Identity, organization membership, authorization, document state, and file delivery are checked at the server boundary.
Every byte flows through the authenticated API, from upload validation to previews and downloads.
Uploads, previews, and downloads pass through the Stoatify API. Storage credentials and bucket endpoints stay server-side.
Every request resolves an organization scope from the verified identity and checks membership before accessing organization data.
Organization roles, object permissions, groups, and document ACLs are evaluated together, with inaccessible records returning no existence signal.
Embedded previews and downloads use signed, document-specific tokens, with live state checks that stop access after deletion or revocation.
Documents move through a defined trash lifecycle. Automated workers permanently purge expired records and associated file bytes.
Stoatify verifies signed identity tokens and derives the user identity from the token subject, never from client-supplied user identifiers.
Assurance library
Public attestations are available directly. Detailed questionnaires and operating policies require a work email.
Stoatify's assessment against the Minimum Viable Secure Product baseline controls.
Current availability, active incidents, and service history for Stoatify.
Detailed answers covering cloud controls, data handling, encryption, and infrastructure.
Vendor Security Alliance assessment of data protection, access control, and vulnerability management.
Governance for production security, access, key management, and risk management.
Document lifecycle, trash retention, permanent purge, and backup handling practices.
Detection, containment, investigation, communication, and recovery procedures.
Subprocessors
Stoatify uses a focused set of service providers to operate the platform. All customer data is stored in data centers located in the United States.
Have a security question?
For questionnaires, architecture questions, vulnerability reports, or procurement reviews, contact Stoatify security.