Security at Stratiri

Stratiri is built with security as a foundational principle, not an afterthought. Our architecture incorporates multiple layers of protection to safeguard your sensitive financial data.

Infrastructure: - Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification - Deployed across multiple availability zones for redundancy and reliability - Network isolation using virtual private clouds (VPCs) with strict ingress/egress controls - Web Application Firewall (WAF) protection against common attack vectors - DDoS mitigation through our infrastructure provider

Application Security: - Modern, secure-by-default frameworks and libraries - Regular dependency scanning and automated vulnerability detection - Secure coding practices following OWASP guidelines - Input validation and sanitization across all user inputs - Content Security Policy (CSP) headers to prevent XSS attacks

All data entrusted to Stratiri is protected using industry-standard encryption protocols.

Encryption in Transit: - All communications use TLS 1.3, the latest transport layer security protocol - HTTPS enforced across all endpoints with HSTS headers - Certificate transparency monitoring for our domains - Perfect forward secrecy to protect past communications

Encryption at Rest: - AES-256 encryption for all stored data - Database encryption using managed encryption keys - Encrypted backups stored in geographically separate locations - Secure key management using hardware security modules (HSMs)

Sensitive Data Handling: - Financial credentials are never stored directly—we use tokenized connections via banking providers - Passwords are hashed using bcrypt with appropriate work factors - API keys and secrets stored in encrypted environment variables - Automatic redaction of sensitive data in logs

We implement strict access controls to ensure only authorized users can access your data.

User Authentication: - Secure password requirements with complexity validation - Two-factor authentication (2FA) using TOTP-based authenticator apps (Google Authenticator, Authy, etc.) - Recovery codes for account access if authenticator is unavailable - Session management with automatic timeout for inactive sessions - Secure password reset flows with time-limited tokens - Account lockout protection against brute force attacks - MFA audit logging for compliance and security monitoring

Authorization: - Role-based access control (RBAC) for team permissions - Principle of least privilege applied across all systems - Row-level security (RLS) ensuring complete tenant data isolation - API authentication using secure tokens with appropriate expiration

Internal Access: - Employee access to production systems requires multi-factor authentication - Access granted on a need-to-know basis with regular access reviews - All administrative actions are logged and auditable - Separation of duties for sensitive operations

As a multi-tenant platform, ensuring complete data isolation between organizations is paramount.

Database Security: - Row-level security (RLS) policies enforce tenant boundaries at the database level - Every query is automatically scoped to the authenticated user's organization - Database isolation prevents any cross-tenant data access - Regular audits verify the effectiveness of isolation controls

Application-Level Protections: - Tenant context validated on every API request - Authorization checks performed before any data access - Comprehensive testing of isolation boundaries - Automated security testing in our CI/CD pipeline

Data Segregation: - Logical separation of tenant data within shared infrastructure - Tenant-specific encryption keys available for enterprise customers - Data export and deletion capabilities for individual tenants - Clear data ownership and portability

We are committed to meeting and exceeding industry security standards and regulatory requirements.

Current Compliance: - Infrastructure hosted on SOC 2 Type II certified providers - GDPR-compliant data handling for EU customers - CCPA compliance for California residents - Standard Contractual Clauses (SCCs) for international data transfers

Security Practices: - Annual security assessments and penetration testing - Vulnerability scanning of infrastructure and applications - Security-focused code reviews for all changes - Incident response procedures aligned with industry frameworks

Roadmap: We are actively working toward formal certifications as our platform matures: - SOC 2 Type II certification for Stratiri's own controls - ISO 27001 certification for information security management - Additional certifications based on customer requirements

We provide security questionnaires and documentation to support customer due diligence processes.

Security is integrated into every stage of our development process.

Development Practices: - Secure coding training for all developers - Security requirements defined during feature planning - Threat modeling for significant new features - Static application security testing (SAST) in development - Peer code review with security considerations

Testing & Deployment: - Automated security testing in CI/CD pipelines - Dependency vulnerability scanning before deployment - Staged rollouts with monitoring for anomalies - Ability to quickly rollback problematic changes - Separation between development, staging, and production environments

Third-Party Code: - Careful vetting of third-party libraries and dependencies - Automated alerts for newly discovered vulnerabilities - Regular updates to address security patches - License compliance and supply chain security awareness

We carefully evaluate and monitor all third-party services that handle your data.

Accounting Integrations: Our accounting connections are facilitated through industry-leading providers: - Xero: SOC 1 and SOC 2 certified - QuickBooks: SOC 1 and SOC 2 certified, ISO 27001 compliant

These providers maintain their own rigorous security programs and undergo regular third-party audits.

Service Providers: - All vendors undergo security assessment before engagement - Data processing agreements (DPAs) in place with all subprocessors - Regular review of vendor security posture - Minimization of data shared with third parties

Subprocessor Transparency: We maintain a list of subprocessors and can provide this information upon request. We notify customers of material changes to our subprocessor list.

We maintain comprehensive monitoring and have established procedures for responding to security incidents.

Continuous Monitoring: - 24/7 automated monitoring of infrastructure and applications - Real-time alerting for suspicious activities and anomalies - Log aggregation and analysis for threat detection - Performance monitoring to detect potential issues early

Logging & Audit Trails: - Comprehensive logging of user actions and system events - Tamper-resistant audit logs stored securely - Log retention aligned with compliance requirements - Regular log analysis for security insights

Incident Response: - Documented incident response procedures - Defined roles and responsibilities for incident handling - Communication protocols for notifying affected parties - Post-incident review and remediation processes

Commitment to Transparency: In the event of a security incident affecting your data, we commit to: - Prompt notification in accordance with legal requirements - Clear communication about the nature and scope of the incident - Information about steps we are taking to address the issue - Guidance on any actions you may need to take

We implement robust measures to ensure the availability and recoverability of your data.

Data Protection: - Automated daily backups of all customer data - Backups encrypted and stored in geographically separate regions - Regular backup restoration testing to verify integrity - Point-in-time recovery capabilities

Infrastructure Resilience: - Multi-availability zone deployment for high availability - Automatic failover for critical system components - Load balancing to distribute traffic and prevent overload - Regular testing of failover procedures

Recovery Objectives: - Recovery Time Objective (RTO): We aim to restore service as quickly as possible following any disruption - Recovery Point Objective (RPO): Minimal data loss through frequent backups - Regular review and testing of disaster recovery procedures

We value the security research community and welcome responsible disclosure of potential vulnerabilities.

Reporting Vulnerabilities: If you believe you have discovered a security vulnerability in our platform, please report it to us at hello@stratiri.com with "Security" in the subject line.

Please include: - A description of the vulnerability - Steps to reproduce the issue - Potential impact assessment - Your contact information for follow-up

Our Commitment: - We will acknowledge receipt of your report promptly - We will investigate and validate the reported vulnerability - We will keep you informed of our progress - We will not take legal action against researchers acting in good faith

Scope: Our security reporting program covers: - The Stratiri web application (stratiri.com) - Our API endpoints - Authentication and authorization mechanisms - Data handling and storage

Please do not: - Access or modify data belonging to other users - Perform denial of service attacks - Use automated scanning tools without prior approval - Publicly disclose vulnerabilities before we have addressed them