Security practices

Data security

• Data center: Steep’s application and databases are hosted on the Google Cloud Platform (GCP) in European data centers.
• Backups enabled: Steep is hosted by GCP and stores customer data using managed databases. By default, GCP provides durable infrastructure to store important data and is designed for durability of 99.9% of objects. Automated backups of all customer and system data is enabled, and data is backed up daily at minimum. The backups are encrypted in the same way as live production data.
• Data erasure: Steep customers are Controllers of their data. Each customer is responsible for the information they create, use, store, process and destroy. Steep customers have the ability to request data deletion or self-serve their own deletion, when data is not subject to regulatory or legal retention periodicity requirements. Please refer to our Privacy Policy and Data Processing Addendum for more information.
• Encryption at rest: Customer data is encrypted at rest using AES-256. Customer data is encrypted at rest in cloud storage, database tables, and backups.
• Encryption in transit: Data sent in-transit is encrypted using TLS 1.2 or greater.
• Connected data: Steep uses a principle of Minimal Processing for customers’ connected data (i.e. a connected data warehouse) and only extracts the results of database queries (aggregated data) that are needed to deliver the service. Cached data is automatically deleted after the retention period.
• Physical security: Steep leverages GCP to host our application, and defers all data center physical security controls to them. Please refer to the GCP physical security controls here.

Application security

• Secure software development lifecycle / SDLC: Steep uses a defined SDLC to ensure that code is written and deployed securely. During the design phase, security threat modeling and secure design reviews are performed for new releases and updates. During development, we apply coding standards, secure architectural principles and perform peer reviews. After code completion, all significant product changes are verified in a pre-production environment. We then follow a standardized and automated release process to perform controlled deployments.
• Vulnerability & patch management: Steep performs vulnerability scanning and package monitoring on all of the companies software products continuously. Externally and internally-facing services are patched on a regular schedule. Any issues that are discovered are triaged and resolved according to the severity within Steep’s environment.
• Credential management: Steep uses a third party Key Management Services (KMS) that manages key generation, access control, secure storage, backup, and rotation of keys. Cryptographic keys are assigned to specific roles based on least privilege access and keys are rotated yearly. Usage of keys is logged.
• Authentication: Steep uses a trusted third-party identity management service for all user authentication. We only allow SSO-based authentication (via Google, Apple and Microsoft) and we do not store or use any user passwords ourselves.

Organizational security

• Employee training: Security training is required during the employee onboarding process, and annually thereafter. Employees also must read and acknowledge Steep´s Security policy.
• Incident response: Steep has an incident management plan which contains steps for preparation, identification, containment, investigation, eradication, recovery, and follow-up/postmortem that is reviewed and tested annually at least.
• Internal assessments: Internal security audits are performed at least annually at Steep.
• Internal SSO: Multi-factor authentication (MFA) is required for all Steep’s employees to log into all internal tools and services where MFA is available.
• Disk encryption: Employee laptops have disk encryption enabled for protection.

Access control

• Data access: Steep internally leverages the Principle of Least Privilege (PoLP) for access. Access is granted based on job function, business requirements, and a need to know basis. Access reviews are conducted on a set frequency to ensure continued access to critical systems are still required.
• Connected data access: Steep employees do not have access to customers’ connected data. Database connection keys and passwords are stored encrypted in our system. Connected data needs to be shared explicitly with Steep employees if required for customer support.
• Password security: Steep requires MFA to be enabled for any and all systems that provide the option for MFA. When such delegation is not possible, Steep maintains a stringent internal password management policy including complexity, and length.

Infrastructure

• Infrastructure security: Steep’s infrastructure is hosted by GCP in a fully redundant, secured environment. GCP maintains a list of reports, certifications, and third party assessments to ensure best security practices. For more information on GCP compliance, please see here.
• Anti-DDOS: Steep leverages third-party applications for DDoS protection.
• Monitoring: Steep uses a third-party service for monitoring and automatic alerts on our infrastructure. Event notifications are communicated to our security staff in real-time.
• Separate production environment: Customer data is never stored in non-production environments. Customer accounts are logically separated in our production environment. We have separate development, testing and production environments.

Product security features

• SSO: Steep provides Single Sign-On (SSO) functionality for customers to access the product through established identity providers, including Google, Apple and Microsoft.
• MFA: Steep supports multi-factor authentication (MFA) by allowing customers to enforce this via their Google, Apple and Microsoft accounts.
• Audit log: Steep gives customers on team and business plans access to information about security and safety-related activity. This can include identifying potential security issues, investigating suspicious behavior, and troubleshooting access. Information is given on a per request basis.
• Manage permissions: Steep allows owners to control their permission levels to ensure that users are viewing and interacting with your content exactly the way you want them to. This includes permission control for metrics, teams and reports.
• Database connections: Access to connected data can be controlled by using dedicated database accounts for the connection, and applying data access controls in the connected database.
• Admin control: Steep provides workspace admins additional management tools to control workspace settings, database connections, metrics, teams and members.