Announcing US$ 3.2M Seed round · OneVC · Maya · Norte Ventures Read →
Contact Sales

Overview

Strattum operates a context infrastructure platform for AI. We maintain a comprehensive security program aligned with industry best practices, with end-to-end encryption, least-privilege access control, continuous monitoring, and formal incident response processes. This portal centralizes our certifications, controls, and documentation — available to your security team during a vendor review.

Compliance & Certifications

SOC 2 Type II
In progress
ISO/IEC 27001
In progress
LGPD
Compliant
GDPR
Compliant

Documents

Documents available under NDA. Request access for release.

Reports & assessments
Penetration Test Report Restricted
SIG Lite Questionnaire (completed) Restricted
CAIQ — CSA (completed) Restricted
Security documents
Security Whitepaper Restricted
Security Architecture Overview Restricted
Shared Responsibility Model (BYOC) Restricted
Policies
Information Security Policy Restricted
Incident Response Plan Restricted
Business Continuity Policy Restricted
Privacy
Model DPA Restricted
Data Retention & Deletion Policy Restricted

Controls

Monitored security controls, organized by category. 30 controls.

Infrastructure Security 6 controls
  • Data encrypted at rest (AES-256)
  • Data encrypted in transit (TLS 1.2+)
  • BYOC model — customer data stays in the customer's own tenant
  • Strattum internal systems hosted on AWS (sa-east-1)
  • Network isolation between environments
  • Firewalls and security groups configured
Organizational Security 5 controls
  • Security awareness training
  • Background checks at hiring
  • Signed confidentiality agreements
  • Security policies reviewed annually
  • Formal incident response plan
Product Security 5 controls
  • MFA enforced
  • Role-based access control (RBAC)
  • Access audit logs
  • SSO support (SAML/OIDC)
  • Annual external pentest
Internal Procedures 4 controls
  • Vulnerability management with severity SLAs
  • Change management
  • Mandatory code review
  • Vendor risk management
Data & Privacy 6 controls
  • LGPD compliance
  • ROPA maintained and reviewed
  • Retention and deletion policy
  • DPA available
  • Customer data never used to train models
  • Data subject request process
Access Control 4 controls
  • Least-privilege principle
  • Quarterly access reviews
  • Offboarding process
  • Unique user identifiers

Subprocessors

Subprocessor Purpose Location
AWS Internal systems hosting Brazil (sa-east-1)
Google Workspace Internal email and collaboration US / Global
Vercel Marketing site hosting Global
ClickUp Task and project management US / Global
Slack Internal communication US / Global
Anthropic AI platform for internal use US / Global

Updates

  1. May 15, 2026
    SOC 2 Type II audit kickoff

    We began the observation period for the SOC 2 Type II audit, with a report expected in Q1 2027.

  2. May 8, 2026
    Subprocessor list published

    We published the public subprocessor list and our 30-day advance notice commitment.

  3. Apr 30, 2026
    External privacy policy updated

    Revised privacy policy aligned with LGPD and an updated ROPA.