Information Security Policy
The master policy for protecting the confidentiality, integrity, and availability of the information we hold, including customer MNPI. Every other security policy derives from it.
Security & Legal
Strata models GP stakes transactions, so we hold confidential fund economics, management-company financials, and individual partner compensation — much of it material non-public information (MNPI). This page describes the controls that protect that data, states plainly what we have and have not yet built, and lists the third parties that may process customer data.
Last updated: July 2026
We document our controls as they actually operate and label what is still on our roadmap, rather than overstating our maturity. Strata is an early-stage platform; the sections below reflect where we are today.
Strata is multi-tenant and our customers are frequently competitors, so isolation is a first-order concern.
Strata keeps append-only audit logs of authentication and access events, enforced at the database layer and available to customers on request.
Strata extracts figures from uploaded documents using deterministic, rules-based extraction that runs entirely on our own infrastructure. Because that data can contain MNPI, our commitments are:
Strata generates downloadable Excel workbooks. Once a file leaves the platform it is governed by the customer's own systems; export can be restricted by role.
Strata runs on established cloud infrastructure providers (listed under Subprocessors) in access-controlled environments. Our datastore provider maintains encrypted, managed backups.
Strata is not SOC 2 certified. We do not hold ISO 27001 or any other independent security certification today, and we have not yet completed an external penetration test or signed customer DPA program.
Our controls are modeled on the SOC 2 Trust Services Criteria, and a SOC 2 examination and independent penetration testing are planned as we scale — but they are not done. Several of our subprocessors (for example Neon and Microsoft Azure) maintain their own SOC 2 / ISO certifications; those cover their platforms, not Strata.
Plain-language summaries of the policies behind the controls above. The complete documents are shared with customers and prospects under NDA.
The master policy for protecting the confidentiality, integrity, and availability of the information we hold, including customer MNPI. Every other security policy derives from it.
How we handle personal and confidential data, including the individual economic data inherent to GP stakes, and our role as a processor acting on the customer's instructions.
The controls on how AI touches customer data: no training on customer data, enterprise zero-retention endpoints only, tenant isolation in AI workflows, and prompt-injection defenses for uploaded documents.
How access to systems and customer data is granted, reviewed, and revoked — tenant isolation, SSO and MFA, role-based least privilege, deal-level information walls, and prompt deprovisioning.
How we detect, contain, and learn from security incidents, and how and when we notify affected customers — including severity levels and breach-notification timelines.
Complete security documentation — including the internal policies summarized above — is available to customers and prospects under NDA. Contact security [at] stratagp.com to request it.
The third parties below may process customer data to operate the product. Each is bound by data-protection terms; select a name to view its agreement.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting and delivery | United States |
| Vercel Web Analytics | Cookieless, aggregate product usage analytics (no PII) | United States |
| Neon | Managed Postgres database | United States |
| Cloudflare | Object storage and CDN | Global (edge) |
| Microsoft Azure | Document processing and Excel recalculation | Configured region |
| Microsoft Entra | Single sign-on (OIDC) | Configured region |
| Single sign-on (OIDC) | United States | |
| Resend | Transactional email | United States |
For security questions, documentation requests, and vulnerability reports, contact security [at] stratagp.com.