Built secure from the ground up.

Physical Security

StackBlaze runs on bare-metal servers in ISO 27001-certified data centres in the EU (Amsterdam) and US (Ashburn). Facilities are protected by biometric access controls, 24/7 CCTV, and security guards.

Network Isolation

• Each customer environment is isolated in its own Kubernetes namespace with network policies enforced at the CNI level
• Service-to-service traffic within a project travels over a private 100 Gbps fabric that never touches the public internet
• All public-facing endpoints sit behind a DDoS-scrubbing layer with automatic rate limiting
• SSH access to production hosts is via certificate-based authentication with short-lived certs (no long-lived keys)

Encryption

• All data at rest is encrypted with AES-256
• All data in transit is encrypted with TLS 1.3; TLS 1.0 and 1.1 are disabled
• Database backups are encrypted before leaving the host
• Secrets and API keys stored in our vault are encrypted with envelope encryption

Secure Development

• All code changes require peer review via pull request before merging
• Static analysis (SAST) and dependency scanning run on every pull request
• Secrets scanning prevents credentials from being committed to source control
• Container images are scanned for known CVEs before deployment

Authentication

• Passwords are hashed with bcrypt (cost factor 12+)
• TOTP-based two-factor authentication is available and encouraged for all accounts
• OAuth 2.0 is used for GitHub/GitLab/Bitbucket integrations, we request only the minimum necessary scopes
• Session tokens are short-lived and rotated on each login

Access Control

• Role-based access control (RBAC) with Owner, Admin, Developer, and Viewer roles
• StackBlaze engineers access production systems via a privileged access management (PAM) system, all sessions are recorded and reviewed
• Production database access requires a time-limited approval workflow

Backups

• Managed database instances are backed up every hour with point-in-time recovery (PITR) for the last 7 days
• Cross-region replication is available for Pro and Enterprise plans
• Backup integrity is automatically verified weekly

Data Isolation

• Each project's persistent volumes are provisioned as dedicated block devices, no shared storage between customers
• Deleted volumes are securely wiped before being re-provisioned

• SOC 2 Type II: audit currently underway; report available to enterprise customers under NDA upon request
• GDPR: we act as a data processor for customer data; our DPA is available for execution
• CCPA: we comply with California Consumer Privacy Act requirements
• Data centres: ISO 27001 and SOC 2 certified facilities

Enterprise customers can request our security questionnaire responses, penetration test executive summaries, and sub-processor list by contacting security@stackblaze.com.

We maintain a documented incident response plan that is reviewed and tested annually. In the event of a security incident:

• Our on-call security team is paged immediately via automated alerting
• Affected systems are isolated within minutes of detection
• Customers whose data may be affected are notified within 72 hours, in line with GDPR Article 33
• A post-mortem is published on our status page within 5 business days

We welcome responsible disclosure from security researchers. If you discover a vulnerability in StackBlaze, please report it to security@stackblaze.com with:

• A description of the vulnerability and potential impact
• Steps to reproduce the issue
• Any proof-of-concept code or screenshots

We commit to acknowledging your report within 24 hours, providing a timeline within 5 business days, and notifying you when the vulnerability is fixed. We do not pursue legal action against researchers who act in good faith and follow this policy.