01
SOC 2 Type II, ISO 27001, GDPR.
StackIQ holds a current SOC 2 Type II report covering security, availability, and confidentiality. We also hold ISO 27001 certification and are GDPR compliant. A third-party penetration test is refreshed annually.
02
What we access. What we do not.
The clearest way to think about StackIQ's data scope is in two columns: what we connect to (and read), and what we never touch.
What StackIQ accesses
- ✓SSO (Okta, Microsoft Entra, Google Workspace): user list and SaaS app inventory, read-only
- ✓Expense systems (Ramp, Brex, Concur, Coupa): SaaS-related transactions only
- ✓Procurement: contract metadata, vendor list, renewal dates, owner emails
- ✓Contract storage (DocuSign, Ironclad): metadata, contract dates, parties
- ✓HRIS (BambooHR, Workday): current org chart for owner reconciliation only
- ✓Vendor admin APIs: license counts and seat utilization (where supported)
What StackIQ does not access
- ✕Customer data in your CRM (Salesforce, HubSpot)
- ✕Support tickets in Zendesk, Intercom, Front
- ✕Product analytics (Amplitude, Mixpanel, your data warehouse)
- ✕Personally identifiable information beyond ownership emails
- ✕Source code, internal documents, or knowledge bases
Customer data and PII are out of scope architecturally, not just by policy. We do not have connectors that read your CRM. Even if a malicious actor compromised StackIQ, they could not pivot into your customer data because we never had it.
03
Read-only by default. Write-back is opt-in.
Every standard StackIQ connector is read-only at the API permission level. We cannot modify a contract, change a seat allocation, or write to your procurement system. Optional write-back integrations exist for ticket creation in ITSM tools (ServiceNow, Jira) but require explicit customer enablement and additional permission scopes.
For sensitive environments, we offer a VPC-resident deployment where raw contract, user, and usage data never leaves your environment. StackIQ receives only aggregated decision metadata.