Trust

Security

How we protect your data and maintain compliance.

Our Commitment

Security is foundational to everything we build at STLabs. Our platform handles sensitive IT operations data, and we treat the protection of that data as a core product requirement — not an afterthought. We apply defense-in-depth principles across our infrastructure, application layer, and operational processes.

Infrastructure

STLabs runs on cloud infrastructure provided by leading providers with SOC 2, ISO 27001, and FedRAMP certifications. Our infrastructure practices include:

All services run in isolated virtual private clouds with strict network segmentation
Infrastructure is defined as code and deployed through auditable CI/CD pipelines
Production environments are separated from development and staging
Automated vulnerability scanning runs continuously across all infrastructure
System logs are aggregated centrally and retained for a minimum of 12 months

Data Protection

All data is encrypted in transit using TLS 1.2 or higher
All data is encrypted at rest using AES-256
Database backups are encrypted and stored in geographically separate regions
Customer data is logically isolated at the application layer — no tenant can access another tenant’s data
Sensitive credentials and secrets are managed through dedicated secrets management services, never stored in code or configuration files

Access Control

We enforce the principle of least privilege across all systems
All employee access to production systems requires multi-factor authentication
Access to customer data is restricted to authorized personnel and logged for audit purposes
Access reviews are conducted quarterly and upon any role change
SSO and SAML 2.0 are supported for enterprise customers

Application Security

All code changes go through peer review before merging
Static analysis and dependency scanning run on every pull request
We follow OWASP best practices for secure application development
API endpoints are authenticated, rate-limited, and validated against strict schemas
We conduct periodic penetration testing through qualified third-party firms

AI & Model Security

As an AI-powered platform, we apply additional safeguards to our model layer:

Customer data is never used to train or fine-tune models shared across tenants
All AI actions are logged with full audit trails, including inputs, outputs, and any actions taken
Human-in-the-loop controls are available for sensitive operations, configurable per workflow
Model outputs are validated against safety policies before execution
Prompt injection and adversarial input protections are applied at the application layer

Compliance

STLabs is pursuing SOC 2 Type II certification. Our compliance program includes formal policies for information security, acceptable use, incident response, business continuity, and vendor management. We are committed to meeting the regulatory requirements of the industries we serve.

Incident Response

We maintain a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident affecting customer data, we will notify impacted customers within 72 hours, consistent with applicable regulations.

Vendor Security

All third-party vendors and subprocessors with access to customer data undergo security review before onboarding. We evaluate their security posture, data handling practices, and compliance certifications. Vendor reviews are repeated annually.

Questions or Concerns

If you have questions about our security practices or want to report a vulnerability, please contact us at security@stlabs.com.

Our Commitment

Infrastructure

STLabs runs on cloud infrastructure provided by leading providers with SOC 2, ISO 27001, and FedRAMP certifications. Our infrastructure practices include:

All services run in isolated virtual private clouds with strict network segmentation

Infrastructure is defined as code and deployed through auditable CI/CD pipelines

Production environments are separated from development and staging

Automated vulnerability scanning runs continuously across all infrastructure

System logs are aggregated centrally and retained for a minimum of 12 months

Data Protection

All data is encrypted in transit using TLS 1.2 or higher

All data is encrypted at rest using AES-256

Database backups are encrypted and stored in geographically separate regions

Customer data is logically isolated at the application layer — no tenant can access another tenant’s data

Sensitive credentials and secrets are managed through dedicated secrets management services, never stored in code or configuration files

Access Control

We enforce the principle of least privilege across all systems

All employee access to production systems requires multi-factor authentication

Access to customer data is restricted to authorized personnel and logged for audit purposes

Access reviews are conducted quarterly and upon any role change

SSO and SAML 2.0 are supported for enterprise customers

Application Security

All code changes go through peer review before merging

Static analysis and dependency scanning run on every pull request

We follow OWASP best practices for secure application development

API endpoints are authenticated, rate-limited, and validated against strict schemas

We conduct periodic penetration testing through qualified third-party firms

AI & Model Security

As an AI-powered platform, we apply additional safeguards to our model layer:

Customer data is never used to train or fine-tune models shared across tenants

All AI actions are logged with full audit trails, including inputs, outputs, and any actions taken

Human-in-the-loop controls are available for sensitive operations, configurable per workflow

Model outputs are validated against safety policies before execution

Prompt injection and adversarial input protections are applied at the application layer