Security Statement


Our customers trust us with access to sensitive and valuable data to do our jobs. We take this responsibility very seriously. This document outlines our policies for being responsible stewards of this data.

Please send any question or comments to

Our Security Philosophy

At Stepsize, we hold ourselves to a set of principles that guide every engineering and operational decision.

We treat your data like our data

We share our own internal business data with 3rd parties and expect them to adhere to a high level of security standards. We hold ourselves to this same level.

We follow industry best practices

The overwhelming majority of security issues can be avoided by following industry best practices: password policies, anti-virus software, encryption, access control. We adhere to them.

Policy Details

Access Control

Data access is controlled on a need-to-know basis based on an employee's responsibilities. Two-factor authentication is used for all cloud services when available.


All data in transit is encrypted using TLS.

Data Storage & Sharing

All customer and our data is stored on Amazon Web Services and we do not share customer data with any other 3rd parties without a written agreement.

Access Levels for Stepsize Integrations

In order to derive maximum value from Layer and other Stepsize products like our Better Git Blame package for Atom, users can set up integrations with tools like GitHub or JIRA for example. Even though some tools like Jira group read & write access permissions into the same ACL, Layer only uses read access for any of these integrations.

Personally Identifiable Information

The only personally identifiable information Stepsize will get access to is your GitHub account information that you provide when signing up. These, along with our logs, will never be shared with any third party.

Malware & Anti-virus protection

We install malware and anti-virus protection software whenever prudent based on risk and best practices.

Incident Management Procedure

We will notify customers about any confirmed security or privacy breach as soon as possible. We provide assessment and mitigation reports within:

  • 24 hours for critical events
  • 2 business days for non-critical events


Stepsize understands the importance of ensuring the privacy of your personally identifiable information. For more information, please see our Privacy Policy.