Your data stays inside your organization
Core tenant and deal tables enforce database Row-Level Security, with request-scoped claims and deal-level access controls.
Security at Strata
Your GP stakes deal work can include confidential fund economics, management-company financials, partner economics, and MNPI. Strata is built to keep that work separated, controlled, and accountable across the platform.
Defense in depth
Invitation + MFA
Org + deal roles
Database RLS
Core tenant and deal tables enforce database Row-Level Security, with request-scoped claims and deal-level access controls.
Customer data is protected with TLS 1.2 or higher in transit and provider-managed AES-256 encryption at rest.
External assistant processing is off by default and requires organization-specific approval evidence before use.
Authentication, access, changes, downloads, and collaborator activity produce append-only audit events.
Protection across the data path
From sign-in and document intake through access, monitoring, export, and recovery, each control addresses a specific part of the deal workflow.
Organization identity scopes protected reads and writes before they reach customer data.
Forced RLS on core tables; separate deal-team permissions inside each organization.Invitation-gated access, MFA, passkeys, organization roles, and deal roles limit who can enter and what they can reach.
Google and Microsoft Entra OIDC are available; SAML requires tenant validation.Customer data and generated workbooks are encrypted in transit and at rest across the managed infrastructure path.
TLS 1.2/1.3 in transit and provider-managed AES-256 at rest.Uploads are bounded by type, size, and signature checks, then scanned through authenticated malware infrastructure.
Unknown, failed, or malicious scan results fail closed before persistence.Database-backed rules detect unsafe intake, authentication bursts, bulk downloads, and privileged activity.
Pending findings are swept every five minutes with retryable, minimized notifications.Reviewed export, deletion, retention, legal-hold, and recovery workflows keep sensitive operations deliberate.
Encrypted privacy exports and a real database point-in-time restore have been exercised.AI governance
Deterministic processing is the default. If an organization chooses an approved assistant provider, Strata requires recorded approval first and sends only bounded, minimized context. We do not use customer inputs, outputs, or documents to train models.
Core extraction, search, and modeling do not require an external model.
An organization chooses whether an approved assistant provider is appropriate.
Provider, approver, evidence reference, and activation time are stored and audited.
Only bounded deal context and the user's question are sent after approval.
Assurance posture
You get a clear view of what operates today, what has been tested, and what is still in progress. Dated exercises are operating evidence; they are not a substitute for independent assurance.
No certification claim. Strata is not SOC 1, SOC 2, or ISO 27001 certified today, and has not yet completed an independent penetration test.
Buyer questions
Important qualifications stay visible. Complete internal policy documents are available to customers and prospects under NDA.
No. Strata is not SOC 1, SOC 2, ISO 27001, or otherwise independently certified today. Our controls are designed around institutional expectations, but formal examinations and independent penetration testing are still in progress.
No. Strata does not use customer inputs, outputs, or uploaded documents to train models. External assistant processing is off by default and requires organization-specific approval before bounded, minimized context can be sent to an approved provider.
Customer data is scoped by organization, and core tenant and deal tables enforce database Row-Level Security. Deal-level permissions add information walls inside an organization so users see only the transactions they are authorized to access.
Strata supports invitation-gated accounts, MFA, passkeys, organization roles, deal roles, and Google or Microsoft Entra OIDC. SAML and generic OIDC can be requested and configured only after tenant validation; live SAML assertion support is not complete today.
Organization administrators can request exports, deletion, or retention changes. Destructive actions are reviewed, checked again for approval and legal hold, and recorded with completion evidence rather than running as an unreviewed instant-delete action.
Strata uses established infrastructure and product providers for hosting, storage, database, document processing, workbook recalculation, identity, email, privacy-filtered telemetry, and optional approved assistant processing. The current provider list and processing purposes are published below.
View subprocessorsData processing partners
The third parties below may process customer data to operate the product. Each is bound by data-protection terms; select a name to view its agreement.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting and delivery | United States |
| Vercel Web Analytics | Cookieless, aggregate product usage analytics (no PII) | United States |
| Google Analytics | Optional aggregate usage analytics with sensitive route data redacted | Global |
| PostHog | Masked session replay, interaction outcomes, sanitized errors, and structured operational logs | United States |
| Neon | Managed Postgres database | United States |
| Cloudflare | Object storage and CDN | Global (edge) |
| Microsoft Azure | Document processing and Excel recalculation | Configured region |
| OpenAI | Optional approved AI assistant processing | United States |
| Meta | Optional approved AI assistant processing | Configured endpoint |
| Microsoft Entra | Single sign-on (OIDC) | Configured region |
| Single sign-on (OIDC) | United States | |
| Resend | Transactional email | United States |
Security documentation
Review our public controls and subprocessors, or request the complete policy set under NDA at security [at] stratagp.com.