Three copies.
Two clouds.
Zero guesswork.

AES-256 (Advanced Encryption Standard with a 256-bit key) is the same encryption standard used by the U.S. federal government for classified information. When your data is stored on disk in any of our cloud buckets, it is transformed into ciphertext that is unreadable without the encryption key. Only authorized processes and personnel can access the plaintext.

Transport Layer Security ensures that data moving between your systems and our cloud storage cannot be intercepted or read in transit. All connections to AWS S3 and Google Cloud Storage are enforced over TLS. Any connection attempt over an unencrypted channel is rejected at the network layer.

AWS offers two models of server-side encryption. SSE-S3 uses AWS-managed keys and is applied by default. SSE-KMS uses AWS Key Management Service with customer-managed keys, giving you explicit control over key rotation and access policy. HIPAA-tier clients receive SSE-KMS so all key usage is logged and auditable.

AWS S3 versioning preserves every version of every object in your bucket. If a file is modified, overwritten, or accidentally deleted, the previous version remains intact and retrievable. This protects against ransomware that attempts to overwrite files and against accidental deletion by any party.

AWS Identity and Access Management controls who can access what within your storage account. Each client receives a dedicated IAM user scoped exclusively to their bucket with no cross-account permissions possible. Policies define the minimum necessary access required for operations, and multi-factor authentication is required for all privileged actions.

Multi-factor authentication requires a second form of verification beyond a password before access is granted. We enforce MFA on every IAM user associated with your account. Even if a password were compromised, access to your storage buckets would remain protected by the second factor.

AWS S3 access logging records every request made to your bucket: who accessed it, when, from which IP address, and what action was taken. These logs are written to a separate isolated bucket and are retained as part of your audit trail. They are available for compliance reviews, dispute resolution, or security investigations.

Rclone crypt wraps any cloud storage remote with an additional encryption layer applied before data leaves your local environment. Files are encrypted on the operator machine before upload, meaning neither AWS nor Google Cloud ever sees plaintext data. The encryption key never leaves the Stoneline environment and is stored in a hardware-secured password vault.

AWS CloudWatch monitors your storage buckets for unusual activity patterns: unexpected large deletions, access from unfamiliar IP ranges, or volume spikes that deviate from your baseline. Alerts are configured to notify the Stoneline operator immediately, enabling rapid investigation and response before an incident affects your data.

Integrity verification compares the cryptographic checksums of files in your local copy against the checksums of your cloud copies. If any file has been silently corrupted, truncated, or altered in transit, the mismatch is detected. We run weekly checks on active plans and quarterly checks on cold archives, and report results in your monthly verification document.

A retention policy defines how long data must be kept before it can be deleted. For regulated clients, this may be mandated by law: HIPAA requires medical records to be retained for a minimum of six years from creation or from the last date of service. We document and enforce your retention schedule and prevent deletion until the required period has elapsed.

Amazon S3 Glacier is a long-term archival storage class designed for data that needs to be preserved but is rarely accessed. Storage costs are significantly lower than S3 Standard. We automatically transition replica bucket objects to Glacier after 30 days, reducing ongoing costs for clients with large or growing archives while maintaining full redundancy.