Security Overview
Statey is designed with security as a foundational principle. The measures below outline how customer data is protected.
1. Data Encryption
- All connections to statey.app are enforced over HTTPS using TLS 1.2 or higher
- Data at rest is protected using AES-256 LUKS encryption
- Application-level encryption (AES-256-GCM) protects access and refresh tokens
2. Access Control
- Access to infrastructure is restricted to essential personnel only
- Secrets are stored in an enterprise password manager
- Infrastructure access is restricted to trusted networks and secured via SSH
- Support access to production systems is limited, logged, and granted only when necessary
- Staff access requires multi-factor authentication (2FA)
3. User Authentication
- User authentication mirrors Xero’s authentication and authorisation model
- User roles and permissions in Xero are reflected automatically in Statey
- Authentication and authorisation are delegated to Xero, including configured 2FA policies
4. Monitoring and Audits
- Hosts are enrolled in XDR and SIEM monitoring
- Secure configuration is assessed against NIST-800 standards
- Security events, integrity changes, and vulnerabilities are monitored
- Source code undergoes static analysis within CI/CD pipelines
5. Backups and Disaster Recovery
- Daily backups are performed
- Full system restoration is targeted within approximately six hours
6. Updates and Patching
- Application updates are managed via CI/CD pipelines
- Server-level patching is performed monthly using automated tooling