Security

As specialist financial services provider, we take security very seriously. Further down on this page we cover the StoneShot Platform. Let’s look first at user security.

Restricted IP access

You can restrict where your users can access StoneShot using your corporate IP addresses. That means you’ll need to be in an office or using a corporate VPN to be able to login. It’s not as strong as the options below but it’s easy to implement. Contact us and we’ll set you up.

Two-Factor Authentication

Over and above your StoneShot username and password, we can provide two-factor authentication. It’s an extra step that makes it harder for potential intruders to gain access.

We’ve partnered with Duo, a Cisco company, to provide two-factor authentication. Once it’s enabled on your account and you’ve downloaded the mobile app, you’ll get an Approve or Deny nudge on your mobile. You can download Duo mobile here:

Duo Mobile for iOS
Duo Mobile for Android

If you don’t want to use the Duo app, you can authenticate via a text message or phone call instead. Both routes give you a unique code to use on login. Please let us know if you’d like it enabled.

Single sign-on

Alternatively, you can avoid having a StoneShot username and password completely by using single sign-on.

Single sign-on allows you to login to your office PC or Mac and access StoneShot without having to login. It’s easy to implement, does away with remembering yet more passwords, and it’s completely frictionless.

We’ll need this info from your IT team:

• SAML endpoint: The URL of the identity provider for StoneShot to query to authenticate a user.
• Application identifier: The unique key assigned to the StoneShot platform for the identity provider.
• SAML certificate: The full contents of the public certificate used to authenticate requests on the client end.

We’ll then setup a unique login URL for your organization. We can enable it for all users or migrate individually or in teams if you wish. Your client services team can guide you through it.

CRM

You can seamlessly access StoneShot from Salesforce and Microsoft Dynamics too. We’ll map each StoneShot user to their CRM user credentials and they’ll have seamless access after one-time authentication. This can be managed at any time by a StoneShot user with Admin level privileges.

The StoneShot Platform

StoneShot treats information security with utmost importance.

We undertake careful planning, implementation, monitoring and maintenance of strict controls to protect all our assets.

Network Security

StoneShot defines its network boundaries using a combination of load balancers, firewalls, and VPNs. These control which services we expose to the Internet and segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

Email Security

Our platform follows best practice email authentication standards. All emails sent are cryptographically signed using DKIM and originate from an IP address we publish in our SPF record. We support STARTTLS for both inbound and outbound email. If your mail service provider supports TLS, your email will be encrypted in transit, both to and from StoneShot.

Data Retention and Deletion

StoneShot retains your content unless you take one or more of the following action

• Delete your content from the StoneShot Platform
• Request all data to be deleted
• Set up retention policies in the StoneShot Platform

Activity Logging

The StoneShot Platform performs server-side logging of client interactions with our services. These include web server access logging as well as activity logging for actions taken through the StoneShot Platform. We also provide recent access times and IP addresses for activity upon request.

Transport Encryption

StoneShot uses industry standard encryption to protect your data in transit. This is commonly referred to as transport layer security (“TLS”) or secure socket layer (“SSL”) technology. In addition, we support HTTP Strict Transport Security (“HSTS”) for the StoneShot Platform. We support a mix of cipher suites and TLS protocols to provide a balance of strong encryption for browsers and clients and backward compatibility for legacy clients that need it. We plan to continue improving our transport security posture as a commitment to protecting your data.

Encryption at Rest

SQL TDE Encryption technology is used to protect all client data from unauthorised access while at rest. Keys are used for the encryption and decryption of data.

Azure safeguards secrets and keys by using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.

Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they can perform. Authentication is achieved via Azure Active Directory.

Resiliency / Availability

StoneShot operates a fault tolerant architecture in our physical data centres which include the following:

• Diverse and redundant Internet connections
• Redundant network infrastructure including switches, routers, and firewalls
• Redundant application load balancers
• Redundant servers and offsite disaster recovery servers
• Redundant underlying storage

Our physical data centres also provide fault tolerant facility services including power, HVAC, and fire suppression. We back up all customer content at least once a day. We do not utilize portable or removable media for backups.

Physical Security

We operate the StoneShot Platform using physical data centres.

For our data centres, we secure our infrastructure in a private, locked cage that includes 24x7x365 monitoring. Access to these data centres requires at a minimum, two-factors of authentication, but may include biometrics as a third factor. Each of our data centres has undergone a SOC-1 Type 2 and SOC-2 Type 2 audit, attesting to their ability to physically secure our infrastructure. Only StoneShot operations personnel and data centre staff have physical access to this infrastructure and our operations team is alerted each time someone accesses our cage, including a video record of the event.

All StoneShot data resides inside the United Kingdom.

Access restrictions

When you try to log onto the StoneShot platform, you may see the screen below…

Firstly, please check that you are connected to your VPN and try logging in again. If the problem persists continue reading.

If you‘re travelling out of the country we may need to temporarily whitelist your IP address. It’s important that you provide the IP address whilst you’re connected to the VPN. Visit

https://www.whatismyip.com/ and send us an email with the country location, the IP address i.e. 194.72.14.226, and how long you will be accessing the platform from that location.

 Once we’ve whitelisted the IP address you should then be able to log in like normal.