Honest security posture, on the record.
Strata is in early access. We do not currently hold a SOC 2, ISO 27001, or third-party-audited compliance report. This page is the truth about what's in place today and what's on the roadmap, so you can decide if Strata fits your risk model.
- Encryption in transit
All client → Strata API traffic is HTTPS-only with HSTS preloading.
- Encryption at rest
Customer data is stored in Appwrite TablesDB on AWS ap-southeast-1 with disk-level encryption.
- Scoped server tokens
Worker uses scoped Appwrite API keys; no plaintext credentials live in the application repo.
- Auth + session
Email + password (with strength minimums) and Google OAuth via Appwrite. Password recovery via signed, single-use tokens.
- No card storage
Billing is handled by Lemon Squeezy. We never see or store card details.
- SOC 2 Type II
Targeted post-launch. Once Strata exits early access we'll begin the audit window with a Type I report.
- GDPR DPA
A standard DPA will be available for paid customers once general availability is announced. Strata stores minimal personal data by design.
- Regional data residency
Enterprise plans will offer EU and US residency. APAC residency is the default today.
- SSO / SAML
Enterprise tier ships SSO + SCIM at GA. Contact sales today for an early-access engagement.
Roadmap items are commitments to begin work, not guaranteed delivery dates. We'll publish updates on the changelog as each milestone lands.
If you've found a security issue, please email security@modulus1.co with steps to reproduce. We aim to acknowledge within two business days.