Security at stella

stella handles privileged legal data. Security is a core design constraint across the product. We design around least privilege, workspace isolation, and encryption for the parts of the system that handle customer data.

We are currently in beta.

Please treat the beta preview accordingly while we harden the product, documentation, and operational controls. Stable v1 will be announced in the future. Do not upload sensitive, privileged, personal, irreplaceable, or production-critical data. The service is offered as a demo.

Principles

Open source foundation

Open source, standard formats, full export, and self‑hosting support. You choose how stella runs and where data lives.

Your data, your rules

Self‑host on your infrastructure or use our managed cloud. You choose where data lives.

Least privilege

Workspace isolation, role‑based access, and tenant‑scoped queries at every layer of the stack.

Controls

Organization

  • Password policy enforced
  • Multi‑factor authentication
  • Role‑based access control
  • Session management and timeouts

Network

  • TLS 1.2+ for all connections
  • VPC‑isolated infrastructure
  • WAF and DDoS protection
  • No public database endpoints
  • VPC flow logging (365‑day retention)

Data

  • AES‑256 encryption at rest
  • Encryption in transit (TLS)
  • Tenant‑isolated data storage
  • Automated backups with PITR
  • KMS key rotation enabled
  • EBS encryption by default (account‑wide)

Application

  • Input validation at boundaries
  • CSRF and XSS protection
  • Dependency vulnerability scanning
  • Audit logging for mutations
  • IMDSv2 enforced (SSRF protection)

AI

  • Currently bring your own key (BYOK)
  • AI requests are sent to the provider you configure
  • Review your provider’s terms, retention settings, and data‑use policy before enabling AI features

Monitoring

  • GuardDuty threat detection
  • CloudTrail audit trail (all regions)
  • Security Hub (CIS 3.0 benchmark)
  • Prowler scanning (SOC‑2, ISO‑27001)
  • IAM permission boundaries

Subprocessors

Provider Purpose Region
Amazon Web Services Cloud infrastructure, RDS PostgreSQL, S3 storage Customer-selected
Customer-configured AI providers AI model inference when BYOK is enabled Provider-dependent
PostHog Product analytics EU

Resources

Prowler scan report

Latest Prowler scan against SOC‑2 and ISO‑27001 benchmarks.

Request →