Security Practices
This page outlines how we protect your data while ensuring our products and services address our customers’ needs.
Policies
Data Encryption
We employ industry-standard encryption protocols to safeguard your data at rest and in transit. All data transmitted between our servers and your devices is protected using TLS 1.3 encryption. Data stored in our systems is encrypted using AES-256 encryption, ensuring that your information remains secure even in the unlikely event of unauthorized access to our servers. We regularly review our encryption methods to stay ahead of emerging threats and maintain the highest level of data protection.
Data Privacy
We are committed to protecting your privacy and handling your data with the utmost care. Our data privacy policy adheres to global standards, including GDPR and CCPA. We collect only the information necessary to provide and improve our services, and we never sell your personal data to third parties. You have full control over your data, including the right to access, correct, or delete your personal information. We maintain transparent data processing practices and provide regular updates on how we use and protect your information. If you have questions or wish to submit a request regarding your personal data, contact us at privacy@steno.ai.
Data Retention and Destruction
We have clear policies governing the retention and destruction of data. We only retain your data for as long as necessary to provide our services or as required by law. When data is no longer needed, we ensure it is securely and irreversibly destroyed using industry-standard methods. We regularly audit our data retention practices to ensure compliance with our policies and applicable regulations, maintaining the privacy and security of your information throughout its lifecycle.
Code Provenance
We maintain strict control over our code provenance to ensure the integrity and security of our software. All code changes are tracked through a version control system with signed commits, allowing us to verify the origin and authenticity of every modification. We employ a rigorous code review process and only accept contributions from verified developers. Third-party libraries and dependencies are carefully vetted and continuously monitored for security vulnerabilities. This comprehensive approach to code provenance helps prevent unauthorized code injection and ensures that our software remains trustworthy and secure.
Vendor Management
We carefully vet and monitor all third-party vendors who may have access to our systems or your data. Our vendor management policy includes thorough security assessments, contractual obligations for data protection, and ongoing monitoring of vendor practices. We require our vendors to adhere to the same high standards of security and privacy that we maintain ourselves. This ensures that your data remains protected throughout our entire supply chain and ecosystem.
Physical Infrastructure Security
Our primary cloud partner is Microsoft Azure. For details on how Azure manages physical infrastructure security, see Microsoft Azure infrastructure security .
Features
These features are included in all of our products, services, and other offerings by default.
Secure By Design
Security is not an afterthought in our product—it’s built into every aspect from the ground up. Our Secure by Design approach means that security best practices are integrated into the architecture, design, and implementation phases of our development process. This proactive strategy includes threat modeling, secure coding practices, and rigorous security testing at every stage. By anticipating and addressing potential vulnerabilities before they become issues, we create a more resilient product that can withstand evolving cyber threats.
Least Privilege
Steno.ai implements the principle of Least Privilege in all aspects of our business, including our operations, our products, and other offerings. This ensures employees and customer or partner users and processes are granted only the minimum levels of access—or permissions—needed to perform their functions. By default, all users start with zero privileges and are then granted specific permissions based on their role and requirements. This granular approach to access control significantly reduces the risk of unauthorized data access or system changes.
Infrastructure as Code (IaC)
We leverage Infrastructure as Code (IaC) to manage and provision our computing infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. IaC ensures consistency across all deployments by using the same secure configurations, eliminating risks from human error and configuration drift. Version control allows for meticulous tracking and auditing of all infrastructure changes, enabling swift rollbacks when necessary. Security policies and compliance requirements are codified and automatically enforced across all environments.
Automated Updates
Keeping software up-to-date is crucial for maintaining security, which is why our product features an Automated Update system. This feature ensures that all components of our product—from the core application to third-party dependencies—are continuously updated to their latest secure versions. Critical security updates are automatically applied as soon as they’re available, minimizing exposure to known vulnerabilities. Updates are deployed gradually across our test and staging systems, then the user base, allowing us to monitor for any unforeseen issues and quickly roll back if necessary.
Access Control
Internal
Steno.ai implements stringent access control measures to protect your data from unauthorized access. We employ the principle of least privilege, ensuring that employees and systems have only the minimum level of access necessary to perform their duties. All access to sensitive data is logged and monitored. We require multi-factor authentication (MFA) for all user accounts and regularly review and update access permissions.
- Role-Based Access Control (RBAC): Access rights are assigned based on job roles and responsibilities
- Multi-Factor Authentication (MFA): All internal systems require MFA
- Regular Access Reviews: Ongoing audits verify that user permissions align with current job roles
- Single Sign-On (SSO): Centralized access management across internal systems
- Comprehensive Logging: All access attempts and changes to access rights are logged and monitored
- Secure Remote Access: Remote access is facilitated through encrypted VPN connections
Customer
Protecting our customers’ data and ensuring they have secure, appropriate access to our services is our top priority:
- Multi-Factor Authentication (MFA): We offer and strongly encourage the use of MFA for all customer accounts
- Fine-Grained Permissions: Customers can set up and manage user roles within their organization
- Session Management: Secure session handling, including automatic timeouts and the ability to view and terminate active sessions
- Access Logging: All significant account activities are logged
- Single Sign-On (SSO) Integration: Support for integration with popular SSO providers
Third-Party
We implement strict controls to manage third-party access:
- Risk Assessment: Third parties undergo a thorough security and privacy assessment before being granted access
- Limited Access: Third parties are given the minimum access necessary, adhering to the principle of least privilege
- Temporary Access: Where possible, access for third parties is time-limited and automatically revoked
- Monitored Sessions: Access by third parties is logged and monitored
- Contractual Obligations: All third parties are bound by contractual terms that include data protection and confidentiality clauses
- Regular Reviews: Third-party access rights are regularly reviewed and promptly revoked when no longer required
API Security
Our API access control system provides secure, efficient, and scalable access to our services programmatically:
- API Keys and Tokens: All API access requires unique API keys or tokens, which can be easily revoked if compromised
- OAuth 2.0 and OpenID Connect: Secure authorization and authentication protocols
- Rate Limiting: To prevent abuse and ensure fair usage
- Scoped Access: API tokens can be issued with specific scopes, limiting access to only the necessary resources
- HTTPS Encryption: All API communications are encrypted using TLS
- Audit Logging: All API requests are logged for security monitoring
- Automatic Token Expiration: API tokens have built-in expiration times
- IP Whitelisting: Available for especially sensitive operations
Deployment Models
Software as a Service (SaaS)
Our default SaaS deployment model offers a turnkey solution:
- Managed Infrastructure: Infrastructure managed by Microsoft Azure
- Automatic Updates: All software updates, security patches, and feature rollouts are handled by our team
- Scalability: Infrastructure scales seamlessly to accommodate your growing needs
- Rapid Deployment: Start using our software immediately without setup or infrastructure provisioning
- Cost-Effective: No upfront infrastructure investments required
- Multi-Tenancy: Strong data isolation between customers
Private Instances
For customers who desire direct control over all aspects of security, or wish their data to reside in infrastructure they control, we can deploy a private instance of Steno.ai in their cloud account:
- Cloud Control: Full control over your cloud environment, including choice of provider, region, and security settings
- Data Residency: Your data remains within your chosen geographic region
- Integration: Integrate Steno.ai with your existing software
- Security Compliance: Apply your organization’s security policies directly to the infrastructure
- Customization: Deeper configuration options to meet specific organizational needs
- Data Ownership: Clear and direct ownership and control over your data and infrastructure
Contact sales@steno.ai for Private Instance inquiries.
Contact
If you have any questions about our security practices or need to report a security concern, please contact our security team at security@steno.ai.