Security at CyStack

CyStack builds products that help organizations manage passwords, detect vulnerabilities, and protect sensitive data. We understand that earning our customers' trust requires holding ourselves to the highest security standards - in how we design products, operate infrastructure, and handle data.

This page describes the technical and organizational measures CyStack applies to protect customer data.

Secure by Design

CyStack embeds security throughout the software development lifecycle (SDLC):

• Threat Modeling: Every new feature undergoes threat analysis before implementation to identify attack surfaces and define corresponding controls.
• DevSecOps: Automated security checks are integrated into the CI/CD pipeline, including static application security testing (SAST), software composition analysis (SCA), and container vulnerability scanning.
• Internal & External Assessments: In addition to regular internal testing, CyStack engages independent third parties to conduct external security assessments.
• Least Privilege: All access - whether for employees or internal systems - is granted at the minimum level necessary and reviewed on a regular basis.

Encryption & Data Protection

• In Transit: All connections to CyStack services use TLS 1.2 or higher. Weak cipher suites and legacy protocols are disabled.
• At Rest: Customer data is encrypted using AES-256 at the storage layer.
• End-to-End Encryption (Locker): For Locker Password Manager, vault data is encrypted end-to-end using a key derived from the user's Master Password. CyStack does not store and cannot access the Master Password or vault data in decrypted form.

Infrastructure & Operations

• Cloud Environment: Production infrastructure is hosted on reputable cloud platforms with internationally recognized security certifications (SOC 2, ISO 27001).
• Environment Isolation: Development, staging, and production environments are fully separated. Real customer data is never used in non-production environments.
• Monitoring & Logging: Systems are monitored around the clock. Security events are logged and anomalies trigger real-time alerts.
• Backup & Recovery: Data is backed up on a regular schedule, encrypted, and tested for recoverability to ensure availability.

Security Team

CyStack maintains dedicated teams responsible for each domain of security:

• Incident Detection & Response:
  Monitoring, intrusion detection, and coordination of security incident response
• Infrastructure & Cloud Security:
  Secure infrastructure architecture, safe configuration, and access control management
• Product Security:
  Source code review, security design assessment, and advisory for development teams
• Security Testing:
  Internal penetration testing, red teaming, and periodic vulnerability assessments

Privacy

CyStack is committed to protecting customer personally identifiable information (PII). Specifically:

• Personal information provided by customers is treated with the highest level of confidentiality.
• CyStack does not sell, rent, or trade customer personal information with any third party.
• Data sharing with third parties, where applicable, occurs only when necessary for service delivery, governed by data processing agreements and in compliance with applicable laws.

Full details are available in CyStack's Privacy Policy.

Vulnerability Disclosure

CyStack welcomes security researchers to report vulnerabilities under Responsible Disclosure principles. If you discover a vulnerability in any CyStack product or service, please submit your report through our official Bug Bounty programs:

• Locker Password Manager - Bug Bounty
• CyStack & WhiteHub - Bug Bounty

Response Process

1. Acknowledgment: CyStack sends a confirmation within 2 business days of receiving the report.
2. Triage: Our security team evaluates the severity and validity of the reported vulnerability.
3. Remediation: Vulnerabilities are prioritized based on risk level. CyStack keeps the reporter updated throughout the process.
4. Recognition: Valid reports are acknowledged and rewarded according to each program's policy.

CyStack requires reporters to refrain from public disclosure until a fix has been deployed and mutually agreed upon. We value every contribution that helps improve security for our products and customers.

Contact

For any security or privacy inquiries, please reach out to security@cystack.net.