Strata
Strata
ProductDemoResourcesSecurityLog in
Contact Us
ProductDemoResourcesSecurityLog in

Security at Strata

Security for your most sensitive deals.

Your GP stakes deal work can include confidential fund economics, management-company financials, partner economics, and MNPI. Strata is built to keep that work separated, controlled, and accountable across the platform.

Review our controlsView subprocessors

Defense in depth

Access narrows at every layer.

01
Identity

Invitation + MFA

02
Scoped access

Org + deal roles

03
Tenant data

Database RLS

Invitation gatedAuditableEncrypted
01

Your data stays inside your organization

Core tenant and deal tables enforce database Row-Level Security, with request-scoped claims and deal-level access controls.

02

Your data stays encrypted

Customer data is protected with TLS 1.2 or higher in transit and provider-managed AES-256 encryption at rest.

03

You decide when external AI is used

External assistant processing is off by default and requires organization-specific approval evidence before use.

04

You can trace access and exports

Authentication, access, changes, downloads, and collaborator activity produce append-only audit events.

Protection across the data path

Protection for the way your team works.

From sign-in and document intake through access, monitoring, export, and recovery, each control addresses a specific part of the deal workflow.

Keep each deal with the right team

Organization identity scopes protected reads and writes before they reach customer data.

Forced RLS on core tables; separate deal-team permissions inside each organization.

Limit access to the people who need it

Invitation-gated access, MFA, passkeys, organization roles, and deal roles limit who can enter and what they can reach.

Google and Microsoft Entra OIDC are available; SAML requires tenant validation.

Protect data in transit and at rest

Customer data and generated workbooks are encrypted in transit and at rest across the managed infrastructure path.

TLS 1.2/1.3 in transit and provider-managed AES-256 at rest.

Screen files before they are stored

Uploads are bounded by type, size, and signature checks, then scanned through authenticated malware infrastructure.

Unknown, failed, or malicious scan results fail closed before persistence.

Detect and respond to risky activity

Database-backed rules detect unsafe intake, authentication bursts, bulk downloads, and privileged activity.

Pending findings are swept every five minutes with retryable, minimized notifications.

Keep sensitive lifecycle actions deliberate

Reviewed export, deletion, retention, legal-hold, and recovery workflows keep sensitive operations deliberate.

Encrypted privacy exports and a real database point-in-time restore have been exercised.

AI governance

External AI is off until you approve it.

Deterministic processing is the default. If an organization chooses an approved assistant provider, Strata requires recorded approval first and sends only bounded, minimized context. We do not use customer inputs, outputs, or documents to train models.

  1. 01

    Deterministic default

    Core extraction, search, and modeling do not require an external model.

  2. 02

    Customer decision

    An organization chooses whether an approved assistant provider is appropriate.

  3. 03

    Recorded approval

    Provider, approver, evidence reference, and activation time are stored and audited.

  4. 04

    Minimized request

    Only bounded deal context and the user's question are sent after approval.

Assurance posture

Know exactly where we stand.

You get a clear view of what operates today, what has been tested, and what is still in progress. Dated exercises are operating evidence; they are not a substitute for independent assurance.

No certification claim. Strata is not SOC 1, SOC 2, or ISO 27001 certified today, and has not yet completed an independent penetration test.

Operating & tested

Current
  • Production tenant-isolation negative matrix
  • Authenticated clean-file and malware rejection exercise
  • Delivered and resolved high-severity detection exercise
  • Encrypted privacy export round trip
  • Neon point-in-time restore drill
  • Manually enforceable release security gate

Still in progress

Roadmap
  • SOC 1 and SOC 2 examinations
  • Independent penetration test and retest
  • Staffed incident-response tabletop
  • Signed customer and provider assurance program
  • Sustained multi-quarter operating evidence

Buyer questions

Plain answers to the hard questions.

Important qualifications stay visible. Complete internal policy documents are available to customers and prospects under NDA.

01

Are you SOC 2 certified?

No. Strata is not SOC 1, SOC 2, ISO 27001, or otherwise independently certified today. Our controls are designed around institutional expectations, but formal examinations and independent penetration testing are still in progress.

02

Do you train models on our data?

No. Strata does not use customer inputs, outputs, or uploaded documents to train models. External assistant processing is off by default and requires organization-specific approval before bounded, minimized context can be sent to an approved provider.

03

Can another customer access our deals?

Customer data is scoped by organization, and core tenant and deal tables enforce database Row-Level Security. Deal-level permissions add information walls inside an organization so users see only the transactions they are authorized to access.

04

What identity controls are available?

Strata supports invitation-gated accounts, MFA, passkeys, organization roles, deal roles, and Google or Microsoft Entra OIDC. SAML and generic OIDC can be requested and configured only after tenant validation; live SAML assertion support is not complete today.

05

How do retention and deletion work?

Organization administrators can request exports, deletion, or retention changes. Destructive actions are reviewed, checked again for approval and legal hold, and recorded with completion evidence rather than running as an unreviewed instant-delete action.

06

Where is data processed?

Strata uses established infrastructure and product providers for hosting, storage, database, document processing, workbook recalculation, identity, email, privacy-filtered telemetry, and optional approved assistant processing. The current provider list and processing purposes are published below.

View subprocessors

Data processing partners

Subprocessors

The third parties below may process customer data to operate the product. Each is bound by data-protection terms; select a name to view its agreement.

SubprocessorPurposeLocation
VercelApplication hosting and deliveryUnited States
Vercel Web AnalyticsCookieless, aggregate product usage analytics (no PII)United States
Google AnalyticsOptional aggregate usage analytics with sensitive route data redactedGlobal
PostHogMasked session replay, interaction outcomes, sanitized errors, and structured operational logsUnited States
NeonManaged Postgres databaseUnited States
CloudflareObject storage and CDNGlobal (edge)
Microsoft AzureDocument processing and Excel recalculationConfigured region
OpenAIOptional approved AI assistant processingUnited States
MetaOptional approved AI assistant processingConfigured endpoint
Microsoft EntraSingle sign-on (OIDC)Configured region
GoogleSingle sign-on (OIDC)United States
ResendTransactional emailUnited States

Security documentation

Bring us your security questions.

Review our public controls and subprocessors, or request the complete policy set under NDA at security [at] stratagp.com.

Review subprocessors
Strata

Institutional deal modeling for GP stakes investors and bankers.

Company

AboutContact

Legal

SecurityPrivacyTerms
© 2026 Strata.