> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stenoa.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security posture

> Stenoa establishes policies and controls, monitors compliance with those controls, and proves its security and compliance to third-party penetration testers and auditors.

## Governance

Our policies are based on the following four foundational principles:

1. **Least privilege**. Access should be limited to only those with legitimate business needs, based on the principle of least privilege.
2. **Consistency**. Security controls should be applied consistently across all areas of the enterprise.
3. **Defense in depth**. Security controls should be implemented and layered according to the principle of defense-in-depth.
4. **Continuous improvement**. The implementation of controls should be iterative, continuously improving effectiveness and decreasing friction.

## Data protection

<Columns cols={2}>
  <Card title="Data at rest" icon="server">
    All datastores are encrypted at rest. Sensitive collections and tables also use row-level encryption.
  </Card>

  <Card title="Data in transit" icon="chevrons-left-right-ellipsis">
    Stenoa uses TLS 1.3 or higher everywhere data is transmitted over potentially insecure networks.
  </Card>

  <Card title="Data backup" icon="square-stack">
    Stenoa backs up all production data using a point-in-time approach. Backups are persisted for 7 years, and are replicated for resiliency against regional disasters.
  </Card>
</Columns>

## Product security

### Penetration testing

Stenoa engages with third-party firms to conduct penetration testing annually.

All areas of the Stenoa product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers to maximize effectiveness and coverage.

## Enterprise security

<Columns cols={2}>
  <Card title="Endpoint protection" icon="globe-lock">
    All company devices are equipped with anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage.

    We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
  </Card>

  <Card title="Security education" icon="graduation-cap">
    Stenoa provides comprehensive security training to all employees upon onboarding. We also conduct threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
  </Card>

  <Card title="Identity and access management" icon="fingerprint-pattern">
    Stenoa employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.

    Multi-factor authentication is required for all employees to access company applications.
  </Card>
</Columns>
