Security and privacy architecture
How AiSU Strata handles your data, protects your privacy, and meets compliance requirements. Governance by architecture, not by policy.
Transient processing
AiSU Strata never stores your documents or file contents. Files are retrieved from your cloud provider at query time, processed in memory, and discarded after the response is generated. A lightweight search index — vector embeddings and classification labels — is maintained to enable fast retrieval. Your files remain exclusively in the storage you control.
Encryption & isolation
All data in transit is protected with TLS 1.3. OAuth tokens are encrypted at rest with AES-256-GCM. Each organisation operates in a fully isolated scope: queries, document access, and metadata are partitioned per-org with no cross-tenant data paths.
Authentication
AiSU Strata authenticates via OAuth 2.0 with Google and Microsoft. We never see or store user passwords. SSO is supported for organisations that require centralised identity management. Two-factor authentication (TOTP) is available for all accounts.
Audit & governance
Every document access is logged with user, timestamp, and action. Administrators can review audit trails, monitor query patterns, and generate compliance reports. Audit logs can be exported for compliance review. Document sensitivity classification is applied automatically during indexing.
AI provider governance
AiSU Strata distributes inference across multiple LLM providers (Groq, Google Gemini, OpenAI, Anthropic). All four providers explicitly exclude API data from model training by default. Zero Data Retention is enabled across all providers — no customer query data persists beyond the immediate response. Your questions and documents are never used to train AI models.
Data protection
GDPR compliance
GDPR-native by design
AiSU Strata is a Finnish company processing data within EU infrastructure. We provide a Data Processing Agreement (DPA) on request. Data subject access requests, rectification, and erasure are fully supported. Upon request, all account data, document metadata, search index entries, and conversation history are permanently deleted.
Compliance
Framework alignment
AiSU Strata’s controls are mapped against leading security and privacy frameworks.
SOC 2 Type II
Mapped28/33 Security, 3/3 Availability, 4/4 Confidentiality
ISO 27001:2022
Mapped78/93 Annex A controls implemented
GDPR
CompliantFull article-by-article mapping; data subject rights via API
EU AI Act
PlannedConformity documentation for August 2026 deadline
Documentation
Governance documentation
14 governance documents effective since February 2026. Available on request for prospects and customers.
Transparency
Sub-processors
We maintain a public sub-processor list with 14-day advance notice for changes.
| Provider | Purpose | Trains on your data? |
|---|---|---|
| Groq | LLM inference (simple queries) | No |
| Google (Gemini) | LLM inference (simple/moderate) | No |
| OpenAI | LLM inference (moderate/complex) | No |
| Anthropic | LLM inference (complex) | No |
| Tavily | Web search augmentation | No |
| Render | Application hosting | N/A |
| Stripe | Payment processing | N/A |
Questions about security?
Contact us for our DPA template, sub-processor documentation, compliance mappings, or a security walkthrough.