Skip to content
Get started

Stravu Security

Last updated: June 10, 2025

Keeping your data safe is very important to us. This page outlines how we approach security for Stravu. For any security-related questions, including disclosure of potential vulnerabilities, feel free to contact us at security@stravu.com.

Certifications and Third-Party Assessments

Stravu is in the process of getting SOC 2 Type II certified.

Infrastructure Security

We depend on the following sub-processors. Note that business data is sent up to our servers to power all of Stravu's AI features (see AI Requests section), and that business data for users is never persisted by our AI Partners.

  • AWS Sees business data: Our infrastructure is entirely hosted on AWS in the United States.
  • Google Cloud Platform (GCP) sees no business data: OAuth configurations used to facilitate Google Single-Sign-On and Google Drive integration are configured in Google Cloud projects
  • OpenAI Sees business data: We rely on many of OpenAI's models to give AI responses. Requests may be sent to OpenAI even if you have an Anthropic (or someone else's) model selected in chat (e.g. for summarization). OpenAI is not permitted to train on data from these requests.
  • Anthropic Sees business data: We rely on many of Anthropic's models to give AI responses. Requests may be sent to Anthropic even if you have an OpenAI (or someone else's) model selected in chat (e.g. for summarization). Anthropic is not permitted to train on data from these requests.
  • Fireworks: Sees voice data: We use Fireworks to process speech to text to enable you to talk to our AI. Voice data will be sent and transcribed if you use our voice to text feature, and only while using that feature. Fireworks is not permitted to train on your data and does not retain it.
  • MongoDB Atlas Sees business data: MongoDB is our primary data store and is used to store both customer data supplied to Stravu as well as analytics data. Our MongoDB infrastructure is hosted in AWS in the United States
  • Stytch Sees no business data: We use Stytch for user authentication and account control. Stytch sees user account info and emails but no business data.
  • PostHog Sees no business data: We use PostHog for some of our analytics data. No business data is stored with PostHog; only event data such as "number of AI requests
  • Intercom sees no business data: We use Intercom to provide customers a way to engage with us directly, as well as for hosting our product help pages. Intercom receives your name and email address as well as some analytics data. No business data is stored with Intercom.
  • Statsig sees no business data: We use Statsig to implement feature toggles and some analytics. Statsig receives your name and email address, and some analytics information. No business data is stored with Statsig.

None of our infrastructure is in China. We do not directly use any Chinese company as a subprocessor, and to our knowledge none of our subprocessors do either.

We assign infrastructure access to team members on a least-privilege basis. We enforce multi-factor authentication for AWS. We restrict access to resources using both network-level controls and secrets.

Notebook and Data Security

Stravu handles collaborative business projects, notebooks, and chats. To provide security:

  1. All notebook data is encrypted in transit and at rest using industry-standard encryption
  2. Collaborative editing uses secure WebSocket connections with end-to-end encryption
  3. Version history allows recovery from accidental changes or deletions, with 90 days of revision history

AI Requests

To provide its features, Stravu makes AI requests to our server. This happens for many different reasons. For example, we send AI requests when you ask questions about your business data, we send AI requests when analyzing a table, doing web research, preparing a diagram, and we may also send AI requests in the background for building up context or suggesting improvements to your decision-making processes.

An AI request generally includes context such as your recently viewed notebooks, your conversation history, and relevant pieces of business data based on your current workspace. This business data is sent to our infrastructure on AWS, and then to the appropriate language model inference provider (OpenAI/Anthropic) via their API. We require our AI Partners not to use your data in training.

You own all the content and analysis generated by Stravu.

External Integrations

Stravu offers integrations with platforms like Google Drive. These integrations:

  • Only access files and data you explicitly authorize
  • Use secure OAuth protocols for authentication with industry-standard security practices
  • Never store your credentials or authentication tokens beyond the session
  • Allow you to revoke access at any time through your account settings
  • Maintain audit logs of all integration activities

All integration data is handled with the same security standards as your primary Stravu data, including encryption in transit and at rest.

Account Deletion

You can delete your account at any time by emailing support[at]stravu[dot]com. We will delete all data associated with your account. We guarantee complete removal of your data within 30 days (we immediately delete the data, but some of our databases and cloud storage have backups of no more than 30 days).

Vulnerability Disclosures

If you believe you have found a vulnerability in Stravu, please email us at security@stravu.com. We commit to acknowledging vulnerability reports within 5 business days, and addressing them as soon as we are able to.