Skip to main content
STRATABook Audit

Security and governance

What your compliance team will need.

We work with owners whose compliance team needs documented security posture before the work starts. This page is the honest current state, not aspirational language.

Data processing posture

How we handle your data.

We process your data inside the systems you already run. We integrate with your CRM, AMS, or PMS rather than copying your customer list into a STRATA-owned datastore.

Where intermediate storage is required (audit exports, queued outbound messages, audit-result deliverables), data is stored in US-region Supabase Postgres with row-level security policies scoped to the engagement. Audit exports are deleted at the close of the engagement at your written request.

Sub-processors

The vendors STRATA relies on.

Every vendor here is named, scoped, and documented. Vendor changes are notified to existing active engagements before activation.

Supabase

Primary Postgres database and file storage. US-region by default.

Resend

Transactional and nurture email delivery.

Plausible

Cookieless analytics. No personally identifiable information collected.

Internal infrastructure

Application hosting on STRATA-controlled servers. Not a third-party sub-processor.

Data Processing Agreement (DPA)

A standard DPA is available on request before the work starts. Custom-term DPAs are accepted on larger engagements; request via Audit@InstallStrata.com.

Incident response

A security or availability incident is notified to affected owners within 24 hours of confirmation, including: nature of the incident, data affected, immediate mitigation, and a documented post-incident review delivered within 14 days. The full incident response policy is in the DPA exhibit.

SOC 2 readiness

SOC 2 Type I readiness initiation scheduled for Q3 2026.

STRATA does not claim certification it does not hold. The current posture is documented; the readiness initiation date is published; updates land on this page when the audit cycle is signed.

Encryption posture

  • TLS 1.3 in transit across all public endpoints.
  • AES-256 at rest in Supabase Postgres; verified against the provider default.
  • Slot-picker tokens signed with HS256 against an environment-rotated secret; 14-day TTL.

Data residency

US-only data residency by default. EU residency is available on larger engagements via a co-located Supabase EU project; request on the audit call or via Audit@InstallStrata.com.

Compliance posture is published.

We name what we have and what we do not.

If your compliance team needs deeper documentation before the audit call, request the DPA and policy pack first.

Book a Revenue Audit

Performance Guarantee. Honest answer on the call. Month-to-month.