How Strata handles your data.
We take the security of our customers' and their clients' sensitive data very seriously. This page explains Strata's security program and operational posture.
Customer data residency
Your clients’ financial data and credentials are stored in the region consistent with your clients’ U.S.-based operations.
Data in transit and at rest
Strata serves HSTS headers and participates in the HSTS preload list used by major browser vendors. The Strata application does not accept plain TCP connections or TLS connections below version 1.2, and achieves an A+ rating from the Qualys SSL Labs toolbox. Data is encrypted at rest and in transit.
Access controls
Because of the way Strata interacts with its customers’ systems, including legacy systems that don’t support modern delegated authentication methods, we hold a variety of credentials in different forms. Strata has a policy of only accepting and storing your clients’ credentials that are limited in nature. In particular, Strata’s policy is to not accept credentials from your clients that have the ability to move money in or out of your clients’ bank accounts.
All of your clients’ credentials are stored encrypted at rest and in transit. Access to your clients’ credentials in the Strata application is gated by a role-based access control system to ensure that only those users with a confirmed business need may access them. Any access via the Strata application is logged.
Authentication
Internal Strata systems authenticate via Single Sign-On (SSO) with enforced mandatory Multifactor Authentication (MFA) and limited session lengths.
Customer credentials for the Strata application are hashed and salted before storage. Users may reset their password via a secure tokenized link sent to the email address on file. Login attempts are rate-limited. All authentication requests and actions are logged.
Infrastructure
Strata’s primary relational database is encrypted at rest and is not used to store any information considered an application secret. It is regularly backed up, and Strata has a data restoration plan that has been tested in production.
Security review
Strata has undergone third-party security reviews of our application, deployment practices, infrastructure security and configuration, and corporate security practices. By policy, high-severity findings are prioritized.
Strata has a policy of requiring security-specialist review of any code changes affecting authentication or authorization models. This is in addition to standard code review and continuous integration test suite requirements.
Incident response
Strata has and follows a written process for managing security incidents, including incidents related to vulnerabilities with no evidence of active exploitation.
A note on bookkeeping data
Strata’s bookkeeping services run on QuickBooks Online (QBO), a third-party application by Intuit. Intuit is responsible for the security and availability of QBO.