Docs homeResourcesSecurity & Compliance

Security & Compliance

Stackmint's security controls, compliance certifications, vulnerability disclosure process, and data handling practices.

Stackmint is built for enterprise deployments where security and compliance are prerequisites, not afterthoughts. This page summarizes the platform's security controls, compliance certifications, and data handling practices.

Compliance certifications

  • SOC 2 Type II — Annual audit covering Security, Availability, and Confidentiality trust service criteria. Reports available to enterprise customers under NDA.
  • ISO 27001 — Information security management system certification. Certificate available on request.
  • GDPR — Stackmint acts as a data processor for customer data. A Data Processing Agreement (DPA) is available for all paid plans. See the EU AI Act compliance page for AI-specific regulatory posture.
  • EU AI Act — Stackmint's governance features (audit logs, HITL, model allow lists, kill switch) are designed to support compliance with the EU AI Act's requirements for high-risk AI systems.

Access control

  • All user authentication uses Supabase Auth with bcrypt password hashing
  • SSO via SAML 2.0 and OIDC on Enterprise plans
  • SCIM 2.0 for automated user provisioning and deprovisioning
  • MFA available for all users; enforceable at the Workspace level on Enterprise plans
  • Session tokens expire after 24 hours of inactivity

Data handling

  • Execution inputs and outputs — Stored in the audit log for the Workspace's configured retention period. Not used for model training.
  • Context Variables — Encrypted at rest with per-Workspace keys. Secret Variables are never logged in plaintext.
  • Model API calls — Made directly to the model provider using the Workspace's configured credentials. Stackmint does not store model prompts or completions beyond what appears in the audit log.
  • Data deletion — Workspace data can be deleted on request. Deletion is permanent and includes all executions, audit logs, context Variables, and user records associated with the Workspace.

Network security

  • All API traffic over TLS 1.2+
  • Fixed egress IPs for model API calls (available for IP allowlisting)
  • Web Application Firewall (WAF) in front of all public endpoints
  • DDoS protection via Cloudflare
  • Private networking between control plane and execution workers

Vulnerability disclosure

Stackmint operates a responsible disclosure program. If you discover a security vulnerability, report it to security@stackmint.ai. Include a description of the vulnerability, steps to reproduce, and your assessment of impact. We acknowledge reports within 24 hours and aim to remediate critical issues within 72 hours. We do not pursue legal action against researchers who follow responsible disclosure practices.

Penetration testing

Stackmint undergoes annual penetration testing by a third-party security firm. Enterprise customers may request to conduct their own penetration tests against their dedicated environment with prior written approval. Multi-tenant penetration testing is not permitted.

Previous

Governance Overview