Security at Strata

All client traffic to Strata is served over HTTPS. TLS 1.3 is the floor for new sessions; older protocol versions are not negotiated. Customer document content stored in Amazon S3 is encrypted at rest with AES-256 using AWS-managed keys. DynamoDB tables holding metadata, presence, comments, and access policies are encrypted at rest with AWS-managed keys. Postgres search indexes are hosted on Neon with at-rest encryption enabled. Yjs CRDT state is compressed with zstd before encryption to reduce storage footprint without changing the encryption boundary.

Every API request is authorized by Cedar policies that scope identity to the user’s Company, Organization, Team, and Space membership before any data is returned. Document content, search results, audit events, and presence are always filtered by tenant before leaving the API. There is no shared tenant cache; each request resolves authorization fresh against the current grant graph.

User authentication is brokered by Amazon Cognito with TOTP-based multi-factor authentication available on every plan and required for company admins on plans where the company MFA policy is enabled. Enterprise customers can enforce SAML or OIDC SSO against their corporate IdP and provision users via SCIM 2.0 with automated deprovisioning on offboarding. Service-to-service access via the Model Context Protocol uses OAuth 2.1 with Dynamic Client Registration and short-lived access tokens.

Every mutating API operation emits a structured audit event tagged with actor identity, tenant, resource, action, IP, and timestamp. Audit events stream to a dedicated DynamoDB table with TTL retention and are queryable by company admins. Agent-initiated edits are attributed distinctly from user-initiated edits so review of AI activity is unambiguous.

Strata is SOC 2 Type 1 audited. The Type 2 observation period is in progress. Reports are available under NDA to current and prospective customers; contact security@strata.space to request access.

Production customer data is stored in AWS region us-east-2 (Ohio). Document content lives in S3, metadata and access policies in DynamoDB, and search indexes in Neon Postgres in the same region. Strata does not currently offer EU or APAC data residency. Customers requiring regional residency should contact sales@strata.space.

Strata relies on the following subprocessors to operate the platform. Use of new subprocessors is communicated to active customers under our DPA before they take effect.

• Amazon Web Services, Inc. Compute (ECS Fargate, Lambda), storage (S3, DynamoDB), authentication (Cognito), and CDN (CloudFront).
• Neon, Inc. Managed Postgres hosting for search indexes.
• Anthropic, PBC. AI model inference for the platform agent surface (where customers have enabled AI features).
• Stripe, Inc. Payment processing and subscription billing.

Report security vulnerabilities to security@strata.space. We acknowledge reports within two business days and aim to remediate confirmed high-severity findings within thirty days. Coordinated disclosure is appreciated; please do not publicly disclose unpatched issues.

General security and compliance questions, including DPA, SOC 2 report requests, and subprocessor disclosures, go to security@strata.space.