strawbay.iostrawbay.ioAnchored Fintech Integrations
Trust

Security

TRUST

“Security that holds, by design.”

Security is part of how Strawbay runs, not a layer on top. We host in the EU, isolate every customer, keep the data we hold to a minimum, and watch the platform in real time, so the financial flows you depend on stay safe and available.

“We deliberately built one engine rather than a separate stack per customer. Every tenant is strictly isolated inside one system we know inside out.”

Andy Kovalov, CTO, Strawbay · Read the article

99.99% uptime trailing 90 days
4h recovery time RTO
1h recovery point RPO
5 disaster recovery plans

How we keep it safe

Security built into the platform

EU

Hosted in the EU

All core infrastructure runs on Google Cloud europe-west1. Data at rest stays in the EU, with no replication outside it.

Per customer

Tenant isolation

Each integration runs in its own isolated, short-lived cloud function, with per-customer isolation enforced through Cloud Storage Hierarchical Namespaces.

MFA

Authentication and access

Customer sign-in via Firebase with MFA, and system-to-system access via encrypted JWT and OAuth. Production access is limited to the EU; development and test require an NDA and use obfuscated data.

Minimal

Data protection

We store a minimal operational data set. Transaction logs are kept for at most six months, strictly for error tracing, never for profiling. We never store authentication secrets, and a DPA is in place.

Real-time

Monitoring and logging

Google Cloud Logging and Monitoring with Sentry give real-time anomaly and error detection, with alerts to the response team and escalation to incident management.

By design

Secure delivery

Security is designed in from the start, with automated vulnerability assessment before deploys and a controlled, reviewed release process. See our Development Methodology.

A DPA, security whitepaper and penetration-test summary are available on request. See Compliance for our regulatory posture.

Talk to us about security