Stonebranch Cybersecurity - Solution Brief
In today’s world, cybersecurity is of the utmost concern for individuals and businesses alike. If not handled with the highest level of care, it could lead to catastrophic effects on your business and day-to-day life.
Stonebranch uses best practices and industry standards in security, privacy, and compliance. These always meet and often surpass the most important goals in both technology and safety for our employees, partners, and customers.
Our Mission and Commitment to Security
At Stonebranch, our mission is to bring the power of enterprise IT automation into everyone’s hands. We deliver secure, reliable, and resilient automation solutions while maintaining compliance with applicable United States (US) and European Union (EU) laws, regulations, and industry standards.
“Data security is a key business challenge for businesses worldwide. Our products and services meet the rigorous standards of ISO 27001:2022 and are backed by a SOC 2 Type II attestation, ensuring our customers the highest levels of security and compliance. Customers can trust our API and agent-based integrations to safely orchestrate their IT operations and break down data silos."
Certifications & Security Assurance
At Stonebranch, security is built into the foundation of our automation platform. We design every solution in accordance with leading security and privacy laws, regulations, standards, and industry best practices. Our goal: to provide a secure, resilient, and trustworthy environment for orchestrating mission-critical workloads across hybrid, multi-cloud, and on-premises infrastructures.
SOC 2® Type II Attestation Report
Stonebranch undergoes an annual SOC 2 Type II audit, performed by independent assessors, to validate the operational effectiveness of our security controls over 12 months. Defined by the American Institute of CPAs (AICPA), this certification confirms that our cloud-based SaaS solutions are designed, operated, and maintained with robust and reliable security practices.
The certification explicitly validates compliance with the Trust Services Criteria, including:
- Security: Information and systems are protected against unauthorized access, disclosure, or damage that could compromise confidentiality, integrity, or availability.
- Availability: Systems are available and reliable for operation and use as committed.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is appropriately protected throughout its lifecycle.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in alignment with established commitments and regulatory requirements.
The most recent SOC 2 Type II report is available to Stonebranch customers upon request.
ISO/IEC 27001:2022 Certification
Stonebranch is certified to ISO/IEC 27001:2022, the internationally recognized standard for Information Security Management Systems (ISMS). This certification, granted by an independent accredited body, demonstrates that Stonebranch has a systematic, risk-based, and continuously improving approach to securing information across people, processes, and technology.
The certification validates Stonebranch’s commitment to the core principles of information security, including:
- Confidentiality: Ensuring information is accessible only to authorized individuals.
- Integrity: Safeguarding the accuracy and completeness of information and systems.
- Availability: Ensuring information and systems are accessible and usable when required.
- Privacy & Data Protection: Aligning with global data protection regulations by embedding privacy-by-design into our ISMS, ensuring personal and sensitive data is safeguarded.
- Risk Management: Identifying, assessing, and mitigating risks to protect against evolving threats.
- Continuous Improvement: Regularly reviewing, monitoring, and enhancing our ISMS to adapt to changing business, regulatory, and security requirements.
Stonebranch’s ISO/IEC 27001:2022 certificate is available to customers upon request.
Independent Penetration Testing
Stonebranch engages accredited third-party specialists to perform regular independent penetration tests on our solutions. These tests simulate real-world attack scenarios to identify and validate potential vulnerabilities, ensuring that the platform is hardened against exploitation.
Penetration testing confirms Stonebranch’s commitment to:
- Security: Verifying that applications, services, and infrastructure are protected against unauthorized access and exploitation.
- Availability: Ensuring critical services remain stable and reliable under attempted attack.
- Confidentiality: Validating that sensitive customer and system data remain safeguarded from unauthorized disclosure.
Stonebranch’s most recent penetration test reports are available to customers upon request.
Alignment with Key Regulations
Stonebranch designs its solutions in accordance with internationally recognized security, privacy, and resilience regulations. By aligning with these frameworks, we ensure that our platform is built on principles of trust, accountability, and protection.
General Data Protection Regulation (GDPR)
GDPR is the EU’s comprehensive framework governing the collection, processing, and protection of personal data. Enforceable since 25 May 2018, it strengthened individuals’ rights to privacy and harmonized data protection laws across the EU and European Economic Area (EEA) member states. Its scope extends globally, applying to any organization that handles the personal data of EU/EEA residents.
Digital Operational Resilience Act (DORA)
DORA establishes a harmonized EU framework to enhance the digital resilience of financial entities. Effective from 16 January 2023, with compliance required by 17 January 2025. It emphasizes robust Information and communication technology (ICT) risk management, standardized incident reporting, resilience testing, and oversight of third-party ICT providers to ensure the financial sector can withstand, respond to, and recover from digital disruptions.
Network and Information Security Directive (NIS2)
NIS2 aims at strengthening cybersecurity across critical and important sectors. EU Member States must transpose NIS2 into their national laws by 17 October 2024. It requires organizations to adopt risk management and security measure and to report significant cybersecurity incidents to national authorities promptly.
Artificial Intelligence (AI)
We also recognize the growing strategic importance of AI. In preparation, Stonebranch is proactively aligning with emerging AI regulations, including:
- EU AI Act: Promoting secure, transparent, and trustworthy adoption of AI technologies.
- US Federal AI Governance and Transparency Act of 2024: Supporting responsible and transparent AI practices in line with evolving U.S. standards.
Cloud Security
Data Center
- Stonebranch data is primarily hosted in Azure and AWS data centers that have been certified as ISO/EIC 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about Amazon’s certifications and controls.
- AWS infrastructure services include backup power, HVAC systems, and fire-suppression equipment to help protect servers, and ultimately, your data. Learn more about Amazon’s infrastructure-layer security measures.
- AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Amazon’s perimeter-layer security measures.
Data Hosting Locations
Stonebranch leverages Azure and AWS data centers in the United States, Europe, and Asia Pacific. Other locations are potentially available upon request.
Encryption
Encryption in Transit
All communications with the Stonebranch Universal Automation Center (UAC) interface and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.3) over public and private networks. This ensures that all traffic between you and UAC application is secure during transit.
Encryption at Rest
Application data is encrypted at rest in AWS using AES-256 key encryption.
Third-Party Vendor Security
Onboarding Process
All new vendors go through a vetting process to ensure they meet or exceed Stonebranch’s high standards for security, privacy, and confidentiality. Vendors commit their adherence to these policies by signing a security addendum. Stonebranch will not enter into a business relationship with any vendor until the vetting process is successfully completed and the security addendum is signed.
Annual Review
Stonebranch performs annual security reviews on all vendors with any level of access to our systems or service data.
Product Application Security
Software Development Life Cycle (SDLC)
- All Stonebranch developers go through regular training to reiterate the importance of maintaining a secure SDLC program. In doing so, our teams follow directives from multiple organizations, such as the U.S. Department of Commerce National Institute of Standards and Technology (NIST).
- Static code analysis and vulnerability testing are employed at multiple levels of development to identify and resolve any potential risks prior to product release.
- Communication between all systems, including both production and non-production, is encrypted to protect all data sent internally and externally. See the Network Security: Encryption section for specific details on encryption in transit and encryption at rest.
- All credentials always remain encrypted to protect the integrity of the systems, as well as any logs that might need to be reviewed with the same industry standards noted above.
HR Security
Employees and Third-Party Contractors
- Background checks are conducted on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verifications.
- Stonebranch follows the principles of least-privileged access for all systems to make sure that no company or client personnel has access to any system that they do not specifically need to be able to access.
Confidentiality Agreements
All new hires are required to sign non-disclosure and confidentiality agreements.
Security Awareness Training
All employees participate upon hire and annually thereafter. All engineers receive annual secure code training. The security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
System Security
Encryption
Transport layer security (TLS) encryption is enabled by default on the web application access points. AWS Relational Database Service (RDS) databases for UC SaaS environments are set-up with both encryption in transit and at rest.
Firewalls
Security groups are set up for each component, such as AWS EC2, RDS, and Application Load Balancer (ALB), to only allow finite ports for specific IPs. Customers can choose to whitelist their IPs for UC web access.
Connectivity
- AWS Private Link: VPC Networking, AWS PrivateLink, Amazon Web Services is a connectivity service that allows secure communication between your Stonebranch virtual private cloud (VPC) and other AWS services, and/or on-premises networks without exposing traffic to the public internet.
- Site-to-Site Virtual Private Network (VPN): This option establishes a site-to-site tunnel from the customer’s network to the Stonebranch VPC to ensure a secure connection from the Universal Agents (UA) deployed from the customer to the OMS/UC. UAs from the customer’s end can be set up with IP whitelisting and certificate-based authentication.
- IP Whitelisting: Customers can provide a list of IPs to be whitelisted at the Stonebranch VPC for UC access or OMS connectivity from UAs.
Backend Access
- Backend server access is restricted and is available only to the Stonebranch cloud operations team.
- Password-based logins are disabled by default. All secure shell protocol (SSH) access must use key-based authentication.
- SSH ports are restricted and can be accessed only via Stonebranch office locations or Stonebranch internal VPN.
Third-Party Penetration Tests
Stonebranch works with an ethical hacker vendor to run annual penetration tests on our internal company network, as well as our cloud offering, to identify and resolve any weakness that may be exploited by unauthorized parties.
Authentication
- Username and password credentials are required to gain access to the application. It is the responsibility of the customer to manage users and ensure secure passwords are used. The UC application allows you to set up password rules for local users.
- Customers can integrate with their onsite lightweight directory access protocol (LDAP) or Active Directory (AD). Single sign-on (SSO) via security assertion markup language (SAML) can also be implemented as needed.
Vulnerability Management and Security Monitoring
- Intelligent agents are installed in each EC2 instance. Agents continuously monitor network connections, user activity, and file integrity. These agents notify the operations team if any anomalies or suspicious behaviors are identified. In addition, the operations team receives vulnerability alerts if any application is installed on the servers.
- AWS CloudTrail is used to notify the operations team of any unusual activity. An AI-based security monitoring tool provides a detailed status of all security controls in place for the SaaS UC.
Anti-Virus and Malware
- Agents installed in each EC2 instance will continuously run anti-virus and malware scans while also running intrusion detection scans (IDS).
- This service is automatically updated with the newest security engines and definitions whenever a new vulnerability is discovered, allowing Stonebranch to provide a high level of security.
Information Security
Management System Team
| Role/Description | Responsibility | Team Member & Location |
|---|---|---|
| Information Security Officer (ISO) and Compliance Officer | The ISO is responsible for establishing and maintaining a corporate-wide information security management program to ensure that information assets are adequately protected. | Haitham Ghoneim, Frankfurt, Germany |
| Data Privacy Officer (DPO) | The DPO is responsible for ensuring the protection of your personal data collection and processing, as to comply with all regulatory bodies and legal entities. | Bojana Georgievska, Frankfurt, Germany |
About Stonebranch
Stonebranch builds IT orchestration and automation solutions that transform business IT environments from simple IT task automation into sophisticated, real-time business service automation, helping organizations achieve the highest possible Return on Automation.
No matter the degree of automation, Stonebranch platform is simple, modern, and secure. Using Stonebranch UAC, enterprises can seamlessly orchestrate workloads and data across technology ecosystems and silos.
Headquartered in Atlanta, Georgia, with points of contact and support throughout the Americas, Europe, and Asia, Stonebranch serves some of the world’s largest financial, manufacturing, healthcare, travel, transportation, energy, and technology institutions.
UAC works in hybrid IT environments across multiple platforms and business applications in real-time. Available on-premises or as a SaaS-based deployment, UAC is a modern platform built to scale with your business.