Security and privacy architecture

How AiSU Strata handles your data, protects your privacy, and meets compliance requirements. Governance by architecture, not by policy.

Transient processing

AiSU Strata never stores your documents or file contents. Files are retrieved from your cloud provider at query time, processed in memory, and discarded after the response is generated. A lightweight search index — vector embeddings and classification labels — is maintained to enable fast retrieval. Your files remain exclusively in the storage you control.

Encryption & isolation

All data in transit is protected with TLS 1.3. OAuth tokens are encrypted at rest with AES-256-GCM. Each organisation operates in a fully isolated scope: queries, document access, and metadata are partitioned per-org with no cross-tenant data paths.

Authentication

AiSU Strata authenticates via OAuth 2.0 with Google and Microsoft. We never see or store user passwords. SSO is supported for organisations that require centralised identity management. Two-factor authentication (TOTP) is available for all accounts.

Audit & governance

Every document access is logged with user, timestamp, and action. Administrators can review audit trails, monitor query patterns, and generate compliance reports. Audit logs can be exported for compliance review. Document sensitivity classification is applied automatically during indexing.

AI provider governance

AiSU Strata distributes inference across multiple LLM providers (Groq, Google Gemini, OpenAI, Anthropic). All four providers explicitly exclude API data from model training by default. Zero Data Retention is enabled across all providers — no customer query data persists beyond the immediate response. Your questions and documents are never used to train AI models.

Data protection

GDPR compliance

GDPR-native by design

AiSU Strata is a Finnish company processing data within EU infrastructure. We provide a Data Processing Agreement (DPA) on request. Data subject access requests, rectification, and erasure are fully supported. Upon request, all account data, document metadata, search index entries, and conversation history are permanently deleted.

Data minimisation (Art. 5(1)(c))

Purpose limitation (Art. 5(1)(b))

Right of access (Art. 15)

Right to rectification (Art. 16)

Right to erasure (Art. 17)

Right to data portability (Art. 20)

Data protection by design (Art. 25)

Processing records (Art. 30)

Compliance

Framework alignment

AiSU Strata’s controls are mapped against leading security and privacy frameworks.

SOC 2 Type II

Mapped

28/33 Security, 3/3 Availability, 4/4 Confidentiality

ISO 27001:2022

Mapped

78/93 Annex A controls implemented

GDPR

Compliant

Full article-by-article mapping; data subject rights via API

EU AI Act

Planned

Conformity documentation for August 2026 deadline

Documentation

Governance documentation

14 governance documents effective since February 2026. Available on request for prospects and customers.

Information Security Policy

Data Processing Agreement (DPA)

Record of Processing Activities (ROPA)

Data Protection Impact Assessment (DPIA)

Acceptable Use Policy

Sub-Processor List

Data Breach Procedure

Legitimate Interest Assessments

Cookie Policy

Responsible Disclosure Policy

Transparency

Sub-processors

We maintain a public sub-processor list with 14-day advance notice for changes.

Provider	Purpose	Trains on your data?
Groq	LLM inference (simple queries)	No
Google (Gemini)	LLM inference (simple/moderate)	No
OpenAI	LLM inference (moderate/complex)	No
Anthropic	LLM inference (complex)	No
Tavily	Web search augmentation	No
Render	Application hosting	N/A
Stripe	Payment processing	N/A