Statsig has instituted several technical and organizational measures designed to protect Statsig applications. This page provides a description of our current security measures.
The Security Team at Statsig conducts periodic automated and manual risk assessments using a methodology based on AICPA SOC2 guidelines for information security risk management. Top risks are identified, and risk treatment plans are prepared. The risk assessment, top risk selection and risk treatment plans are reviewed, and progress is tracked by the Security Governance Board.
By default Statsig requires authentication for access to all application entry points including Web and API, except for those intended to be public.
Data from customers is encrypted in transit. Statsig currently uses TLS to transmit authentication credentials to Statsig products.
With processes designed to enforce minimum password requirements for Statsig products, we never store passwords in the clear and always use a one-way hash to validate authentication. Email-based password reset links are sent only to a user’s preregistered and verified email address, with a temporary link
End-user account passwords stored on Statsig are hashed with a random salt using industry-standard techniques.
Statsig lets you implement Single Sign-On (SSO) through OIDC, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Statsig using their existing corporate credentials. SSO is available on select packages only, so please consult your order form for eligibility.
Each time a user signs into Statsig, the system assigns them a new, unique session identifier that consists of 64 bytes of random data designed for protection against a brute force attack.
Statsig enforces hard and inactivity session timeouts that require re-authentication for API and direct web application access.
When signing out of Statsig, the system is designed to delete session cookies from the client and invalidate session identifiers on Statsig servers.
Statsig monitors and updates its communication technologies periodically with the goal of providing network security.
By default, all communications from your end-users and visitors are encrypted using industry standard communication encryption technology. Statsig currently uses Transport Layer Security (TLS) and updates to cipher suites and configurations as vulnerabilities are discovered.
Statsig regularly updates network architecture schema and maintains an understanding of the data flows between systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
Statsig uses an Intrusion Detection System (IDS), Security Incident Event Management (SIEM) system and other security monitoring tools on production servers. Notifications from these tools are sent to the Security Team, who have an incident management plan to investigate, isolate and mitigate any identified events.
Statsig keeps detailed access logs of our infrastructure and products which are reviewed for events impacting security and availability. Logs are retained for forensics purposes.
Access to your data stored by Statsig is restricted to employees and contractors who have a need to know this information to perform their job function. For example, to provide customer support, maintain infrastructure, enhance product or to understand how an engineering change affects a group of customers.
Statsig currently requires the use of single sign-on, strong passwords and two-factor authentication for all employees to access production data.
Statsig has implemented several employee job controls to help protect your data:
Statsig software security practices are measured using industry-standard security models. The software development life cycle (SDLC) for our services includes many activities intended to foster security:
Statsig developed software is continually monitored and tested using processes designed to proactively identify and remediate vulnerabilities. We regularly conduct:
Statsig Service infrastructure is designed to minimize service interruption due to hardware failure, natural disaster or other catastrophes. Features include:
Statsig has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.
Statsig segregates all customer data and provide strong programmatic and access controls to logically isolate your data from that of other customers.
Statsig products give you the ability to limit access to your data and configuration by defining user roles. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project.
Statsig uses industry leading cloud platforms (Azure and Amazon Web Services) to host its production services. These cloud services provide high industry standard levels of physical security. Access to these data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for these data centers include on-premises security guards, closed circuit video monitoring and additional intrusion protection measures. We rely on their third-party attestations of physical security.