Security

Built for teams that get audited.

Stradiva treats security as part of the platform, not a feature on top of it. Below: how we earn that claim — and proof you can read.

The audit log

Every action,
signed and visible.

The same audit ledger your auditors will eventually ask for is the one your engineers already use to investigate incidents. One surface, both jobs.

Live · region eu-west

Time

Actor

Action

Target

11:42:18Z

iris.chen

granted prod:write

service/dispatch

11:38:02Z

system

rotated

kms/key/eu-west-pg

11:34:55Z

daniel.o

signed deploy

v2.14.0

11:31:09Z

meilin.p

read secret

prod/stripe/sk

11:27:41Z

system

attested build

sha256:9f3a…

11:23:18Z

arjun.r

closed break-glass

incident/2026-128

Four pillars

How the platform protects you.

Encryption everywhere

TLS 1.3 on the wire, AES-256 at rest, customer-managed keys on Enterprise.

Just-in-time access

SCIM provisioning, role inheritance, break-glass with full traceability.

Signed by default

Every build attested with Sigstore; every config change signed by a human.

Visible to your SIEM

Audit events streamed to Splunk, Datadog, Elastic, or your S3 bucket.

Audited where it matters

SOC 2 Type IIISO 27001GDPRHIPAA-readyPCI-DSSCCPA / CPRA

Reports available under NDA. Sub-processor changes announced 30 days in advance. Public bug bounty open to all researchers via HackerOne.

Trust pack

Need our reports under NDA?

The trust pack bundles the SOC 2 Type II report, ISO 27001 certificate, penetration test summary, sub-processor list, and DPA. Request access and we send a signed link within one business day.

Request trust pack Read the DPA