Strata
STRATABack to homepage

Security & Legal

Security at Strata.

Strata models GP stakes transactions, so we hold confidential fund economics, management-company financials, and individual partner compensation — much of it material non-public information (MNPI). This page describes the controls that protect that data, states plainly what we have and have not yet built, and lists the third parties that may process customer data.

Last updated: July 2026

Security overview

How we talk about our controls

We document our controls as they actually operate and label what is still on our roadmap, rather than overstating our maturity. Strata is an early-stage platform; the sections below reflect where we are today.

Tenant isolation

Strata is multi-tenant and our customers are frequently competitors, so isolation is a first-order concern.

  • Every record is scoped to a single tenant, and every data-access path enforces that tenant boundary before returning data.
  • Database-level Row-Level Security is forced for core tenant and deal tables, and the app sets request-scoped database claims before protected reads and writes run.
  • Within a tenant, deal-level access controls let a customer restrict individual transactions to their deal team.

Encryption

  • In transit: TLS 1.2 or higher.
  • At rest: AES-256, including the Excel workbooks Strata generates.
  • Encryption keys are managed by our infrastructure providers' key management services.

Authentication and access

  • Single sign-on via OIDC (Google and Microsoft Entra) for organizations that use it. SAML and generic OIDC can be requested and configured after tenant validation.
  • Multi-factor authentication is available on all accounts, can be enforced organization-wide, and is enforced for administrators and for Strata's own organization.
  • Role-based access control (administrator, deal lead, contributor, read-only) on a least-privilege basis.

Audit logging

Strata keeps append-only audit logs of authentication and access events, enforced at the database layer and available to customers on request.

Artificial intelligence

Strata extracts figures from uploaded documents using deterministic, rules-based extraction that runs entirely on our own infrastructure. Because that data can contain MNPI, our commitments are:

  • No customer data is sent to any third-party LLM, AI, or embedding provider. Document contents, extracted values, and search queries never leave Strata's infrastructure for AI processing.
  • We do not train any model on customer data. Customer inputs, outputs, and uploaded documents are never used to train any model.
  • Extraction and document search respect the same tenant isolation as the rest of the platform.

Exported files

Strata generates downloadable Excel workbooks. Once a file leaves the platform it is governed by the customer's own systems; export can be restricted by role.

Infrastructure

Strata runs on established cloud infrastructure providers (listed under Subprocessors) in access-controlled environments. Our datastore provider maintains encrypted, managed backups.

Data ownership and deletion

  • Customers own their data. Strata processes it only to provide the service, never for analytics, marketing, or model training.
  • Organization admins can request export, deletion, or retention changes in Settings. Destructive deletion remains reviewed by the Strata team before fulfillment.

Certifications — where we actually stand

Strata is not SOC 2 certified. We do not hold ISO 27001 or any other independent security certification today, and we have not yet completed an external penetration test or signed customer DPA program.

Our controls are modeled on the SOC 2 Trust Services Criteria, and a SOC 2 examination and independent penetration testing are planned as we scale — but they are not done. Several of our subprocessors (for example Neon and Microsoft Azure) maintain their own SOC 2 / ISO certifications; those cover their platforms, not Strata.

Our policies

Plain-language summaries of the policies behind the controls above. The complete documents are shared with customers and prospects under NDA.

Information Security Policy

The master policy for protecting the confidentiality, integrity, and availability of the information we hold, including customer MNPI. Every other security policy derives from it.

Data Protection & Privacy Policy

How we handle personal and confidential data, including the individual economic data inherent to GP stakes, and our role as a processor acting on the customer's instructions.

AI Governance & Data Handling Policy

The controls on how AI touches customer data: no training on customer data, enterprise zero-retention endpoints only, tenant isolation in AI workflows, and prompt-injection defenses for uploaded documents.

Access Control Policy

How access to systems and customer data is granted, reviewed, and revoked — tenant isolation, SSO and MFA, role-based least privilege, deal-level information walls, and prompt deprovisioning.

Incident Response Policy

How we detect, contain, and learn from security incidents, and how and when we notify affected customers — including severity levels and breach-notification timelines.

Full documentation on request

Complete security documentation — including the internal policies summarized above — is available to customers and prospects under NDA. Contact security [at] stratagp.com to request it.

Subprocessors

The third parties below may process customer data to operate the product. Each is bound by data-protection terms; select a name to view its agreement.

SubprocessorPurposeLocation
VercelApplication hosting and deliveryUnited States
Vercel Web AnalyticsCookieless, aggregate product usage analytics (no PII)United States
NeonManaged Postgres databaseUnited States
CloudflareObject storage and CDNGlobal (edge)
Microsoft AzureDocument processing and Excel recalculationConfigured region
Microsoft EntraSingle sign-on (OIDC)Configured region
GoogleSingle sign-on (OIDC)United States
ResendTransactional emailUnited States

Contact

For security questions, documentation requests, and vulnerability reports, contact security [at] stratagp.com.