Enterprise-Gradesecurityyoucanverify
Security Controls
Infrastructure Security
- Unique production database authentication enforced
- Encryption key access restricted
- Unique account authentication enforced
Organizational Security
- Asset disposal procedures utilized
- Production inventory maintained
- Portable media encrypted
Product Security
- Data encryption utilized
- Control self-assessments conducted
- Penetration testing performed
Internal Security Procedures
- Continuity and disaster recovery plans established
- Continuity and disaster recovery plans tested
- Cybersecurity insurance maintained
Data and Privacy
- Data retention procedures established
- Customer data deleted upon leaving
- Data classification policy established
Frequently asked questions
Need our SOC 2 report or ISO 27001 attestation? Request it in our Trust Center or send us an email at [email protected].
For details on how we handle personal data and adhere to U.S. and global privacy regulations, see our Privacy page.
Subtotal is SOC 2 Type II compliant and ISO/IEC 27001:2022 certified. We undergo regular audits to maintain compliance.
All data is encrypted at rest with AES-256 and in transit with HTTPS/TLS 1.2+. Sensitive data is also encrypted at the application level.
We isolate production in a secure VPC, separate production and non-production environments, enforce MFA, and tightly limit direct access.
Yes, we conduct regular independent penetration tests and use tools like AWS Inspector and Vanta to proactively address vulnerabilities.
We embed security reviews, code reviews, and testing throughout our development lifecycle to minimize vulnerabilities.
We perform background checks, require signed policies and NDAs, and provide annual security awareness training.
We apply the principle of least privilege, review access quarterly, and revoke it immediately when no longer required.
We maintain a formal Incident Response Plan, validate it annually through third-party assessments, and ensure timely response to incidents.
All vendors undergo a security assessment before engagement, with periodic reviews and secure data handling at termination.
We review and test our BC/DR plan annually and conduct post-mortems to identify and address gaps.
Stripe processes all payments on our behalf. We never store payment details.