Authentication & Access
Every STOA account is protected by modern authentication standards. API keys are individually revocable and scoped to your account.
- Passwords hashed with Argon2id — the current gold standard for password hashing
- Session tokens with automatic expiry and server-side invalidation
- API keys issued with unique prefixes for easy identification and instant revocation
- Rate limiting on all authentication endpoints to prevent brute force attempts
Data Protection
STOA processes publicly available government procurement data. Your account data, saved searches, and usage patterns are private and protected.
- All data transmitted over TLS 1.3 encryption
- Account data stored separately from procurement data
- Automated backup system with encrypted off-site storage
- Weekly restore testing to verify backup integrity
Infrastructure
STOA runs on dedicated infrastructure in tier-3+ data centers with enterprise-grade physical security, redundant power, and network connectivity.
- Dedicated servers — no shared tenancy or multi-tenant cloud instances
- Continuous health monitoring with automated alerting
- Three-copy backup architecture with geographic distribution
- Automated security updates and patch management
Compliance
STOA is operated by StackCensus, based in British Columbia, Canada. We comply with Canadian privacy law and international data protection standards.
- PIPEDA compliant — Canada's Personal Information Protection and Electronic Documents Act
- GDPR-aware practices for any EU-based users
- Transparent data collection — see our Privacy Policy
- No selling of user data to third parties — ever
API Security
The STOA API is designed for secure integration with your existing systems and workflows.
- Bearer token authentication on all API endpoints
- Per-key rate limiting with usage analytics
- Request logging with anomaly detection
- CORS policy enforcement for web integrations