Skip to main content
STRATABook Audit

Security and governance

What your compliance team will need.

STRATA serves Tier 2 and Tier 3 buyers who require documented security posture before engagement. This page is the honest current state, not aspirational language.

Data processing posture

How STRATA handles operator data.

STRATA processes operator data inside the systems the operator already runs. We integrate with the AMS, CRM, or PMS of record rather than copying the book of business into a STRATA-owned datastore.

Where intermediate storage is required (audit exports, queued outbound messages, audit-result deliverables), data is stored in US-region Supabase Postgres with row-level security policies scoped to the engagement. Audit exports are deleted on engagement close at the operator's written request.

Sub-processors

The vendors STRATA relies on.

Every vendor here is named, scoped, and documented. Vendor changes are notified to existing operator engagements before activation.

Supabase

Primary Postgres database and file storage. US-region by default.

Resend

Transactional and nurture email delivery.

Plausible

Cookieless analytics. No personally identifiable information collected.

Internal infrastructure

Application hosting on STRATA-controlled servers. Not a third-party sub-processor.

Data Processing Agreement (DPA)

A standard DPA is available on request before engagement. Custom-term DPAs are accepted on Tier 2 and Tier 3 engagements; request via Audit@InstallStrata.com.

Incident response

A security or availability incident is notified to affected operators within 24 hours of confirmation, including: nature of the incident, data affected, immediate mitigation, and a documented post-incident review delivered within 14 days. The full incident response policy is in the DPA exhibit.

SOC 2 readiness

SOC 2 Type I readiness initiation scheduled for Q3 2026.

STRATA does not claim certification it does not hold. The current posture is documented; the readiness initiation date is published; updates land on this page when the audit cycle is signed.

Encryption posture

  • TLS 1.3 in transit across all public endpoints.
  • AES-256 at rest in Supabase Postgres; verified against the provider default.
  • Slot-picker tokens signed with HS256 against an environment-rotated secret; 14-day TTL.

Data residency

US-only data residency at v1. EU residency is available on enterprise engagements via a co-located Supabase EU project; request on the audit call or via Audit@InstallStrata.com.

Compliance posture is published.

STRATA names what it has and what it does not.

If your compliance team needs deeper documentation before the audit call, request the DPA and policy pack first.

Book a Revenue Audit

The Pause Clause stands. The Honest No is on the audit call. The first 90 days is month-to-month.