Statura Intelligence Statura Intelligence
Trust & Security

Built like the data matters.

Your tracked items, briefs, and notes are scoped to your workspace via row-level isolation enforced at the database tier. Encrypted in transit, encrypted at rest, never sold, never used to train AI models. SOC-2 Type II audit in progress.

99.97%
Uptime · last 90 days
TLS 1.3
In transit
AES-256
At rest
RLS
Workspace isolation
Four pillars

How we protect your data.

Encryption

Every byte that moves between your browser and our servers is encrypted with TLS 1.3. Every byte we store is encrypted at rest with AES-256 via Supabase + AWS-managed keys.

  • In transit: TLS 1.3 enforced (HSTS preloaded)
  • At rest: AES-256, AWS KMS-managed keys
  • Backups: Daily encrypted snapshots, 7-day retention
  • Secrets: 1Password Teams + Vercel encrypted env, never in git

Workspace isolation

Multi-tenant means: every row in our database is tagged with the workspace it belongs to, and Postgres enforces (at the database tier, not at the application tier) that you can only read rows from your own workspace.

  • Row-Level Security (RLS): enforced for every table that holds workspace data
  • Tested isolation: 2-user × 2-workspace cross-read test before every schema change
  • Service-role isolation: separate keys for public reads vs. workspace reads
  • Audit log: sensitive operations logged with actor + timestamp + IP

Account security

Password-based authentication via Supabase Auth (bcrypt-hashed). Optional TOTP two-factor auth, recovery codes, and per-device session management. Suspicious-login detection notifies you on new IPs.

  • 2FA available: TOTP authenticator apps + recovery codes
  • Session management: revoke individual sessions or sign out everywhere
  • Login alerts: email when a new device or country signs in
  • Password rules: 12+ chars, mixed case, number, symbol
  • SSO (Firm tier): SAML + SCIM provisioning with your IdP

Operational security

Production access is locked to a small operations team via signed SSH keys + 1Password vault. Deploys go through CI with required code review. Vulnerability scans run nightly.

  • Least-privilege: production DB read locked to RLS-scoped queries; raw access requires explicit on-call grant
  • Code review: required PR review + GitHub branch protection on main
  • Dependency scans: npm-audit + Dependabot, weekly review
  • Error monitoring: Sentry with PII scrubbed before transmission
Compliance

Frameworks and certifications.

In progress
SOC 2 Type II
Independent audit of security, availability, and confidentiality controls over a 6-month observation window.
Type I report Q3 2026
Aligned
GDPR + UK-GDPR
Processor + Controller obligations, DSAR workflow, subprocessor list, data-export tooling.
DPA available on request
Aligned
CCPA / CPRA
California consumer rights: access, deletion, portability, opt-out of sale (not applicable, we don't sell data).
privacy@statura.app
Roadmap
ISO 27001
Information security management framework. Targeted following SOC-2 Type II completion.
Targeted 2027 H1
Sub-processors

Every vendor we work with.

We notify customers 30 days before adding any new sub-processor that has access to customer data. The list is also published in our Privacy Policy.

VendorPurposeData accessedRegion
Supabase, Inc.Authentication + Postgres database hostingAll customer data (encrypted)US-East-2 (AWS)
Vercel, Inc.Application hosting, edge CDN, analytics (IP-anonymized)Request metadata, no body contentUS (multi-region edge)
Stripe, Inc.Payment processingBilling email + payment method (we never see card data)US
ResendTransactional + alert email deliveryRecipient email + message bodyUS
Anthropic, PBCAI model inference for briefs (zero-retention)Bill text + brief generation context (not used to train models)US
SentryError monitoring (PII scrubbed before transmission)Stack traces, no user contentUS
BetterStackUptime monitoring + log aggregationOperational logs, no customer body contentUS
Cloudflare, Inc.DNS, DDoS protection, bot mitigationRequest metadata, no body contentGlobal (DNS-only mode)
1PasswordInternal credential vault (employee secrets)No customer dataCanada
Data residency

Where your data lives.

Primary database: Supabase managed Postgres on AWS US-East-2 (Ohio). Daily encrypted backups stored in the same region. Edge cache via Vercel CDN globally for static assets only. No customer data is cached at the edge.

EU residency available for Firm-tier customers on request, via a separate Supabase project hosted in EU-Central (Frankfurt).

Data retention + deletion

When we delete what.

  • Active accounts: retained while active
  • Cancelled workspaces: 60-day grace period, then hard delete
  • Billing records: 7 years (tax + audit compliance)
  • IP logs: truncated after 30 days
  • Audit logs: 12 months
  • Backup retention: 7 days (daily snapshots)
Vulnerability disclosure

Responsible disclosure.

If you discover a security vulnerability, please email security@statura.app with the details. We will:

  • Acknowledge within 24 hours
  • Provide an initial triage assessment within 3 business days
  • Coordinate disclosure timeline with you (typically 90 days max)
  • Credit you publicly on this page if you'd like (researcher hall of fame coming soon)
  • Not pursue legal action against good-faith research

PGP key on file at security@statura.app · Bug bounty program targeted Q3 2026 (HackerOne)

AI use

How we use AI, and how we don't.

Statura Intelligence uses an enterprise AI provider with zero-retention guarantees to generate brief summaries from public legislative data. Every claim in an AI-generated brief includes a citation back to the official source: bill text, sponsor statement, committee record. We do not use customer private content to train AI models, and Anthropic operates on a zero-retention policy for our queries.

Read our AI Use Policy →

Have a security question?

DPA, security review, pen-test report, ISO request. We'll respond within 1 business day.

security@statura.app Privacy Policy Terms