Security

Security is foundational to everything we build at Stratl. As a platform trusted with monitoring your AWS infrastructure, we hold ourselves to the highest standards of data protection, access control, and operational security.

All Stratl infrastructure runs within isolated Virtual Private Clouds (VPCs) with strict network segmentation. Production environments are completely separated from development and staging environments.

We deploy exclusively on SOC 2 Type II certified infrastructure providers. All servers are hardened according to CIS benchmarks and continuously monitored for vulnerabilities.

Network traffic between services is encrypted using mutual TLS. All external traffic is encrypted using TLS 1.3 with strong cipher suites. We enforce HSTS and support certificate transparency.

All data at rest is encrypted using AES-256 encryption with keys managed through a dedicated key management service. Encryption keys are rotated automatically on a regular schedule.

Your AWS credentials are never stored. We use AWS STS to assume cross-account IAM roles with least-privilege policies. Temporary credentials are short-lived and scoped to only the permissions required for monitoring.

Database backups are encrypted and stored in geographically separate regions. We perform regular backup restoration tests to ensure data recoverability.

All employee access to production systems requires multi-factor authentication and is logged. Access is granted on a least-privilege basis and reviewed quarterly.

We implement role-based access control (RBAC) throughout our platform. Administrative access requires additional approval and is time-limited using just-in-time access provisioning.

All access to customer data requires explicit justification and management approval. Access events are logged and auditable.

We follow secure development practices including code review, static analysis (SAST), dynamic analysis (DAST), and dependency scanning as part of our CI/CD pipeline.

We conduct regular penetration testing through independent third-party security firms. Critical and high-severity findings are addressed within 24 and 72 hours respectively.

Our bug bounty program welcomes responsible disclosure from security researchers. Please report vulnerabilities to security@stratl.dev.

We maintain a comprehensive incident response plan that is tested and updated regularly. Our security team is available 24/7 to respond to potential security events.

In the event of a security incident affecting customer data, we commit to notifying affected customers within 72 hours of confirmation, in accordance with applicable regulations.

Post-incident, we conduct thorough root cause analyses and implement measures to prevent recurrence. Summary findings are shared with affected customers.

Stratl is SOC 2 Type II compliant, with annual audits conducted by an independent auditing firm. Our SOC 2 report is available to customers and prospects under NDA.

We maintain compliance with GDPR, CCPA, and other applicable data protection regulations. Our Data Processing Agreement (DPA) is available for customers who require one.

If you discover a security vulnerability or have security concerns, please contact our security team at security@stratl.dev. We appreciate responsible disclosure and will acknowledge receipt within 24 hours.