Get started with a free trial today
Already have an account? Sign in
Stitch gives you the power to secure, analyze, and govern your data by centralizing it into your data infrastructure. Our most important job is to keep your data safe along the way.
Stitch’s secure infrastructure is a closed network protected by multi-factor authentication and accessible only to qualified members of our engineering team. On the rare occassion that a Stitch engineer needs to read or move data to investigate an issue, your data will never leave our infrastructure.
Additionally, all members of the Stitch team - not just engineers - have signed non-disclosure agreements.
Stitch stores some PII (Personal Identifiable Information) related to your account. This PII is provided during signup and includes:
The only PII that goes through Stitch is the data sent from your source. This data is not stored outside of ourretention window.Additionally, Stitch collects performance metrics, but these do not include any customer-provided information. Stitch also stores table names for functional reasons.
Stitch supports Single Sign-On (SSO), which allows you to securely grant members of your team access to Stitch by internally managing their credentials. Stitch currently supports the following Identity Providers (IdP):
The SSO feature is available on all Stitch plans.
Stitch’s integrations use the minimum permissions that allow read access to necessary data and can be configured by users to replicate only a subset of available data.
However, the permissions Stitch requires to successfully pull your data will depend on the database or SaaS application’s permission structure. In some cases, we only need read-only permissions to pull all the data required - in others, we need what amounts to full access.
Regardless of the level of permissions we request for an integration,we will only ever read your data. Any permissions beyond the scope of read-only will not be used.
To ensure Stitch remains visible in logs and audits, we recommend creating a dedicated Stitch user as a best practice.
Stitch’s destinations use the minimum permissions that allow Stitch to successfully load data into your destination. In most cases, Stitch requires the ability to create schemas, tables, columns, and to read and insert data.
The specific permissions Stitch requires are different for each destination. Refer to the documentationfor your destination for more info.
The following table contains info about Stitch’s level of compliance or certification with various security regulations and programs:
| Type | Compliant/ Certified | Stitch plan | Notes |
| FedRAMP | Not applicable | Stitch isn’t currently certified with the Federal Risk and Authorization Management Program (FedRAMP). | |
| GDPR | All plans | Stitch is fully compliant with the European Union’s Global Data Protection Regulation, or GDPR. TheStitch Terms of Use includes a Data Processing Addendum (DPA) that enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU. TheStitch Privacy Policy also includes specific GDPR requirements. Learn more about Stitch’s effortsin this blog post. Additionally, Stitch supports selecting the region in which you’d like your account’s replicated data to be processed. Refer to theData processing section for more info. | |
| HIPAA | Advanced plans | Stitch can replicate data in a HIPAA-compliant manner as part of an Advanced or Premium plan. To learn more about replicating data subject to Health Insurance Portability and Accountability Act (HIPAA) regulations with Stitch, contact theStitch Sales team. Note: There are requirements outside of Stitch configuration that must be completed to ensure compliance. Reach out toStitch Sales before replicating any sensitive data. | |
| PCI | All plans | Stitch doesn’t currently support replicating data in a PCI-compliant manner. To log feedback about replicating data subject to PCI requirements, reach out to our [support team] ( https://community.qlik.com/t5/Support/ct-p/qlikSupport). However, all payment information submitted through Stitch’s billing interface to pay for your subscription is handled in a PCI-compliant manner. | |
| Privacy Shield | All plans | Stitch is certified under theUS-EU and US-SWISS Privacy Shield Programs, meaning any EU or Swiss data transfer will be handled in accordance with the principles laid out in the Privacy Shield Framework. For more information on Privacy Shield, check out the previous link orthis FAQ on the program. | |
| SOC 2 | All plans | Stitch has been certified compliant with the SOC 2 security, availability, and confidentiality principles by an independent auditor. The audit report can be requested by contactingStitch Sales. |
Stitch offers several secure options for creating connections to integrations and destinations:
Refer to theData encryption guide for more info.
TheData pipeline region setting, defined when you create a Stitch account, controls the region where Stitch-hosted data centers process replicated data.
Note: TheData pipeline region setting only affects the replication of data in your Stitch account, specifically extracting, preparing, and loading data into your destination. All other processes and data, such as billing, reporting, and other metadata, are not affected by your account’s data pipeline region. Data and metadata related to these processes will be processed using Stitch’snorth-america region.
Refer to theSupported Data Pipeline Regions documentation for more info.
To ensure we meet our most important service-level target - don’t lose data - replicated data may be retained in Stitch’s system for a short period of time. Stitch automatically deletes data when it is no longer needed for replication.
During thePreparing phase of the replication process, Stitch buffers extracted data in its internal data pipeline and readies it for loading. This phase consists of the following steps:
| Step name | Maximum retention period | Description |
The Pipeline | 7 days | Stitch uses Apache Kafka and Amazon S3 systems spanning multiple data centers to durably buffer the data received by the Import API. Data is always encrypted at rest, and automatically deleted from the buffer before the maximum retention period for this step. |
The Streamery | 30 days | The Streamery reads data from the Pipeline and separates, batches, and prepares it for loading. Prepared data is encrypted, separated by tenant (Stitch account) and data set, and written to Amazon S3 to be loaded. Most data is loaded within minutes, but if a destination is unavailable, it can stay in S3 for up to 30 days before being automatically deleted. |
To summarize, all data that Stitch processes for customers will be deleted from our systems within 30 days.
If your database(s) or SaaS account(s) have been hacked, we recommend that you:
Our team can help you remediate any data issues that might have occurred as a result of the breach.
If our team verifies a security vulnerability in our system, our first priority is to prevent its exploitation. After it’s contained, we do a thorough analysis to determine the scope of impact and notify affected users within 24 hours.
If you believe you’ve found a security vulnerability in Stitch, we encourage you to let us know right away by emailingsecurity@stitchdata.com. We request that you do not publicly disclose the issue until we have a chance to address it. We won’t pursue legal action as long as you make a good-faith effort to avoid privacy violations and destructive exploitation of the vulnerability.
We will respond as quickly as we can and reward the confidential and non-destructive disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users’ data (such as bypassing our login process, injecting code into another user’s session, or acting on another user’s behalf) with some swag. Other issues may be rewarded at our discretion.