← Back to straitum.com
Security & Trust

Built secure from day one.

Straitum stores some of the most sensitive operational data your organization has — vulnerability scans, asset inventories, and security posture data. Here is exactly how we protect it.

Download Security Whitepaper Request DPA

Six things you should know.

The headline security properties of the Straitum platform.

🔒
Dedicated Database
Every customer gets their own isolated PostgreSQL database. No shared tables. No cross-tenant risk.
🔐
End-to-End Encryption
TLS 1.2+ in transit. AES-256 at rest. bcrypt cost 12 for passwords. TOTP secrets encrypted with AES-256-GCM.
🛡
Zero AI Training
Your security data is never used to train AI models. Our AI enrichment uses only public CVE IDs — never your asset or environment data.
72-Hour Breach Notice
If a confirmed breach affects your data, we notify you within 72 hours. Formalized in our DPA.
🔑
MFA Built In
TOTP-based MFA with per-user enforcement, trusted devices, admin controls, and step-up auth on destructive actions.
📋
Full Audit Logging
Every API call logged with user, timestamp, and action. Available to customers on request.

Your data is yours. Completely.

Most SaaS platforms store all customers in one shared database and rely on filtering to keep data separate. A single bug can expose one customer's data to another.

Straitum takes a different approach: every customer gets a dedicated PostgreSQL database. There is no shared database, no tenant_id filtering, no possibility of cross-customer data leakage. Physical separation by design.

✗  Shared database model
  • All customers in one database
  • tenant_id filtering required
  • Bug can expose cross-tenant data
  • Common in cost-optimized SaaS
✓  Straitum model
  • Dedicated database per customer
  • No shared tables
  • Physical isolation — not logical
  • Standard for security platforms

What we will never do.

These are not just policies. They are architectural constraints.

Sell your data
We do not sell, rent, or trade customer data. Ever.
Train AI on your data
Your vulnerability scans, asset inventories, and security posture data are never used to train AI or machine learning models. Our AI features use only publicly available CVE data from NIST.
Share without consent
Customer data is shared only with the subprocessors listed below — and only what is necessary to deliver the service.

Subprocessors

Straitum uses the following third-party services to deliver the platform. No other services have access to customer data.

Provider Purpose Location
Railway Application hosting and database infrastructure United States
Resend Transactional email delivery United States
Anthropic AI enrichment of public CVE data only — no customer environment data is transmitted United States

Security Controls

A summary of our implemented security controls. Full details are available in our Security Whitepaper.

✓ Encryption in transit (TLS 1.2+) ✓ Encryption at rest (AES-256) ✓ bcrypt password hashing (cost 12) ✓ JWT authentication ✓ Role-based access control (RBAC) ✓ Multi-factor authentication (TOTP) ✓ Trusted device management ✓ Admin route protection ✓ Rate limiting (all endpoints) ✓ Security headers (Helmet.js) ✓ CORS allowlist policy ✓ Audit logging (all API calls) ✓ Database SSL enforcement ✓ Dedicated database per customer ✓ Restricted public endpoint DB user ✓ MFA step-up on destructive actions ✓ Data deletion on termination ✓ 72-hour breach notification ✓ Responsible disclosure process ⏳ Penetration testing ⏳ SOC 2 Type I (Q1 2027) ⏳ SSO / SAML integration (Q3 2026) ⏳ Per-tenant encryption keys

Compliance & Certifications

Where we stand on the frameworks your security team cares about.

GDPR
✓ Controls in place

Data processing agreement available. Data processed in the United States.

Request DPA
HIPAA
✓ BAA available

Business Associate Agreement available for healthcare customers. Contact us before uploading PHI.

Request BAA
SOC 2 Type I
⏳ Target Q1 2027

Controls implementation in progress. This page documents our current security posture while the formal audit process begins.

PCI DSS
— Not applicable

Straitum does not process cardholder data. We help you track your own PCI scope assets and manage associated risk.

Questions or concerns?

We respond to every security inquiry. Usually same day.

Security questions
hello@straitum.com
General security and privacy questions.
Send email
Request DPA or BAA
hello@straitum.com
Subject: DPA Request
Request document
Report a vulnerability
hello@straitum.com
Responsible disclosure welcome.
Subject: Security Disclosure
Report vulnerability

We commit to acknowledging security reports within 48 hours. We do not pursue legal action against good-faith researchers.