At Stack Overflow, we keep our customers at the front of our mind. We build our products with you in mind, and we want you to feel absolutely secure and comfortable using them. That’s why we have completed SOC 2 audits on our hosted Stack Overflow for Teams Enterprise version.
The end result of this process is a SOC 2, Type II report that customers can request, which attests that the security controls that we say we have in place do the things that we claim that they do and meet a known standard. Right now, this report covers our hosted Enterprise solution of Stack Overflow for Teams.
We offer the following controls:
- Encryption of all storage and traffic data — at rest and in motion.
- Use your own SAML 2.0 Identity Provider (IdP) to ensure no one else sees your credentials.
- Segregated resource groups for each Enterprise customer.
What exactly is a SOC 2 Type II report?
A SOC (Service Organization Controls) 2 Type II report attests that the controls that we put in place match established and trusted requirements—including applicable international security standards—and are effective at doing what we say they are doing. The SOC 2 examines the policies and controls around security, availability, processing integrity, confidentiality, and privacy. There are two SOC 2 reports; Type I confirms sufficient and necessary controls are in place, while Type II tests control effectiveness over a sustained six month period.
To perform the review, we hired an independent security audit firm experienced in compliance standards. They requested and collected evidence of our compliance with the required controls. The controls provide defenses against security threats. We repeat this process every year, and receive an updated report every year.
What did we do to prepare for the report?
While we can’t tell you the exact controls that we put in place—we’d need an NDA from you because of our security policies—we can say that we started from a solid foundation. Our information security program has based its measures on ISO 27001, the international standard framework for information security management controls. So we had a head start.
On top of that, we’ve been tested by numerous security attacks (some of which we did to ourselves), including an attack in May 2019 that sent the engineering team to all hands on deck.
Our director of information security, Lynn Ballard, was impressed with how security-minded Stack Overflow was when she got here. We’re a company built on a community, so trust is important to us. But Ballard said that trust isn’t always enough.
“Many companies don’t build security into their processes. People at Stack Overflow really get security... What we were lacking was just the formality of documenting it, the procedure, making sure people are trained and then proving that we implement security appropriately.
We implement controls to not only show our community and customers that we’re serious about security, but to have a framework that we can measure over time to ensure we have continuous improvement in our security program. The open and honest culture we've built over the years is great, but customers are going to want more than our word, that’s where a third-party evaluation comes in and provides that peace of mind.”—
Lynn Ballard, Director of Information Security at Stack Overflow
With Stack Overflow for Teams, we’ve created the best way to collaborate and share your proprietary knowledge amongst your team. The information your organization shares there is precious and proprietary, and we make sure that information is secure from external threats.
But don’t take our word for it; we're ready to share our SOC 2 Type II report and so you can see the proof yourself.