Technology

A team collaborating around a laptop.

Technology Meets Benefits

A unique benefit technology platform

Sterling’s technology platform augments the expertise of our clients. As a third-party administrator of group benefit plans, Sterling has access to millions of data points on benefit experience within the Canadian market. Sterling leverages this data along with customer feedback to deliver unparalleled solutions for our clients.

  • Data-driven insurance product selection: we create benefit plans with the best design, placed with the right carrier based on industry, past experiences and recent pricing trends.
  • Using data to deliver sustainable pricing: we leverage data rather than narratives to ensure that carriers are competitive in their plan renewal calculations.
  • Paperless onboarding: our proprietary technology platform makes for simple enrollment and an end-to-end intuitive HR administration tool.
  • Integration Capabilities: In addition to our advanced platform features, Sterling’s platform offers seamless integration with HRIS (Human Resources Information System), payroll systems, and insurance carriers. Our feeds connect across one platform, maintaining plan design, member details and member changes effortlessly.

Trust Center

Security 

  • Governance 
  • Locale, Failover, Disaster Recovery 
  • Security policy 
  • Cyber risk management 
  • Application Security 
  • Data Encryption 
  • Security Awareness 
  • Privacy 

Assessment 

Best Practices 

  • IP address restrictions  

Security

Governance 

Sterling’s Chief Information Officer leads the technical security and compliance functions, supported by operations, product, engineering, and legal. Additionally, we practice continual compliance with Trustero 

Locale, Failover, and Disaster Recovery 

Proudly Canadian. 🇨🇦

SCBConnect is hosted within Canada, inside the Amazon Web Services (AWS) CA-Central-1 region, and Availability Zone failover is tested regularly. Additionally, out of region backups are performed via continuous replication to the CA-West-1 region, and disaster recovery testing out of region is conducted at least annually.  

Security Policy 

Sterling’s Acceptable Use Policy applies to all Sterling employees and contractors. In addition to requiring multi-factor authentication, Sterling utilizes a number of techniques generally called “Conditional Access,” to ensure the integrity of the devices used to access Sterling systems, and validates that they have active anti-virus, firewall, screen locks, and on-disk encryption.  

All activity on Sterling systems is logged, with a variety of third party threat detection and remediation tools applied.  

Sterling is a remote-first organization, with a Zero Trust network security model. 

Cyber Security Risk Management 

Sterling undergoes internal, source code supply chain, and vendor risk assessments to identify areas of risk, and to identify areas where additional security controls may be needed.  

Sterling has adopted market leading security solutions not only for our portal, SCBConnect, but also for backoffice systems, including leveraging Microsoft Purview Data Loss Prevention, Audit, and Insider Risk Management, including Information Rights Management.  

Sterling recieves a number of feeds on current and emerging cyber threats, and has an optimized and adaptive response to the same.  

Application Security 

The Sterling Portal, SCBConnect, utilizes a secure development framework, as well as a number of third party tools using techniques such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), that are peformed for every build and deployment,  in addition to annual third party penetration testing.  

Vulnerabilities in the software supply chain are identified and tracked to remediation via container scanning, source code scanning, and other techniques.  

Our production environment is continually analyzed and scanned by a number of third party tools, such as AWS GuardDuty, AWS MACIE (for Data Loss Prevention), in addition to a number of in house and open source tools (such as Steampipe compliance monitoring). 

Data Encryption 

All data is encrypted in transit (by using industry standard SSL) and at rest, typically using AES-256, with AWS KMS as the key manager.  

Security Awareness 

Sterling has partnered with KnowBe4 for information security training for all employees and contractors, including simulated phishing tests. 

All Sterling developers recieve OWASP top 10 training annually.  

Privacy 

Our privacy policy is available at https://selfservice.sterlingcapitalbrokers.com/privacy_policy?locale=en-CA 

Sterling meets and exceeds the requirements of PIPEDA, which is Canadian Law.  

For questions about privacy, please contact privacy@sterlingbrokers.com 

Assessment

Sterling undergoes annual SOC 2 assessments, which demonstrated of focus to protecting our customers data.  

Sterling is presently working towards ISO 27001 certification, targeting 1st half of 2025.  
 
Auditors reports are available with NDA, please reach our to your account representative for more information.  

Best Practices

Best Practice Recommendations 

Sterling notification emails will always come from an @sterlingbrokers.com or @sterlingcapitalbrokers.com domain

Not sure about an email? Call Sterling Support +1 (877) 793-7222 

Sterling utilizes industry standard email authentication techniques such as DKIM, SPF, and DMARC. Emails are encrypted by default, both inbound and outbound, using opportunistic TLS encryption, which is standard and default from all major email providers.  

Sterling requires 2FA for all member and administrator logins, with an email challenge.  

Sterling understands industry standard Traffic Light Protocol for disseminating sensitive information.  

IP Access Restrictions 

As a cloud based, and dynamic service, please see https://ip-ranges.scbconnect.cloud/ for Sterling’s present IP address ranges.