TRUST
“Security that holds, by design.”
Security is part of how Strawbay runs, not a layer on top. We host in the EU, isolate every customer, keep the data we hold to a minimum, and watch the platform in real time, so the financial flows you depend on stay safe and available.
“We deliberately built one engine rather than a separate stack per customer. Every tenant is strictly isolated inside one system we know inside out.”
Andy Kovalov, CTO, Strawbay · Read the article
How we keep it safe
Security built into the platform
Hosted in the EU
All core infrastructure runs on Google Cloud europe-west1. Data at rest stays in the EU, with no replication outside it.
Tenant isolation
Each integration runs in its own isolated, short-lived cloud function, with per-customer isolation enforced through Cloud Storage Hierarchical Namespaces.
Authentication and access
Customer sign-in via Firebase with MFA, and system-to-system access via encrypted JWT and OAuth. Production access is limited to the EU; development and test require an NDA and use obfuscated data.
Data protection
We store a minimal operational data set. Transaction logs are kept for at most six months, strictly for error tracing, never for profiling. We never store authentication secrets, and a DPA is in place.
Monitoring and logging
Google Cloud Logging and Monitoring with Sentry give real-time anomaly and error detection, with alerts to the response team and escalation to incident management.
Secure delivery
Security is designed in from the start, with automated vulnerability assessment before deploys and a controlled, reviewed release process. See our Development Methodology.
A DPA, security whitepaper and penetration-test summary are available on request. See Compliance for our regulatory posture.
