Sterling

Security at Sterling

Enterprise-grade infrastructure and operational practices designed to keep your data safe.

ISO 27001 alignedSOC 2 alignedPCI-DSS SAQ-AGDPR ready

Last updated: April 18, 2026

Our Approach

Sterling is built on audited, enterprise-grade infrastructure. Our operational practices are designed to be consistent with industry frameworks including ISO 27001/27002 and SOC 2. While Sterling itself is not yet independently certified against these frameworks, the subprocessors that host and process your data are — and we inherit their controls by design.

Trusted infrastructure

Audited subprocessors

Sterling runs entirely on providers that maintain active third-party security attestations. Each link goes to their public trust center.

Vercel

Application hosting & edge network

SOC 2 Type 2ISO 27001HIPAAPCI-DSS

Neon

Managed Postgres database

SOC 2 Type 2ISO 27001HIPAAGDPR

Amazon Web Services

File storage (SEC filings)

SOC 1/2/3ISO 27001PCI-DSSFedRAMP

Stripe

Payments & subscriptions

PCI-DSS Level 1SOC 1/2

Defense in depth

How we protect your data

Controls applied at every layer — from the infrastructure up through the application.

Data Protection

  • TLS 1.2+ encryption in transit
  • AES-256 encryption at rest (provider-managed)
  • Secrets stored in Vercel's encrypted env vars, never in source
  • Continuous backups via Neon point-in-time recovery

Access & Authentication

  • MFA enforced on all provider accounts
  • Principle of least privilege for admin access
  • User auth via Auth.js with industry-standard hashing
  • Passwords never stored in plaintext

Operational Security

  • GitHub with branch protection & required reviews
  • Automated dependency vulnerability scanning
  • Immutable, atomic deploys with instant rollback
  • Continuous production backups

Payment Security

  • All payments processed by Stripe (PCI-DSS Level 1)
  • Sterling never stores or transmits raw card data
  • Integration falls under PCI-DSS SAQ-A
  • Webhook signatures verified on every event

Financial data sources

The financial information displayed on Sterling is sourced from public SEC filings, Financial Modeling Prep, and Yahoo Finance. This is publicly available information about publicly traded companies. Sterling does not collect or process non-public material information.

Found a vulnerability?

If you believe you've found a security issue in Sterling, please report it responsibly. We aim to acknowledge reports within 48 hours. Please don't publicly disclose until we've had a reasonable chance to investigate and address it.

security@asksterling.ai

Questions about our security practices?

For general questions or vendor-review documentation, reach out to hello@easyreps.app.

Privacy PolicyTerms of ServiceContact