Technical Security and Data Protection

Strand Trust Center

Strand Intelligence is a DFIR platform that handles sensitive forensic evidence and incident findings. Security controls are built into infrastructure, access, and application design rather than added as a final step.

Last Updated

2026-03-04

Primary Contact

[email protected]

Data Residency Baseline

United Kingdom

Customer investigation data is hosted in United Kingdom infrastructure. Frontend code is globally distributed for performance, but customer data is retrieved from UK-hosted systems.

Assurance Snapshot

These controls represent currently implemented safeguards. This section is intentionally technical and based on verifiable platform controls.

UK Data Residency

Customer evidence and investigation data are hosted in UK infrastructure.

Primary data services operate in AWS London (eu-west-2) with UK residency controls.

Security Overview v1.0Data residency section

Encryption at Rest

Stored application data is encrypted at rest.

PostgreSQL data is protected with AES-256 encryption-at-rest controls.

Security Overview v1.0Database security section

Encryption in Transit

Service-to-service and user traffic is encrypted in transit.

Platform communications are served over TLS 1.2 or higher.

Security Overview v1.0Frontend and database transport sections

Backend Access Controls

Privileged backend access is controlled through layered authentication.

Access combines allowlisting, client certificate requirements, credentials, and OTP MFA.

Security Overview v1.0Backend access controls section

Tenant Isolation

Data access boundaries are enforced at database-policy level.

Row-level security validates user session state, organization membership, and investigation-level authorization before records are returned.

Security Overview v1.0Row-level security section

Cyber Essentials

Strand currently holds Cyber Essentials.

Trust-center assurance statements focus on controls that are implemented and verifiable in the current environment.

Current external certification status

Architecture Layers

Strand is designed with separated tiers so that compromise of one layer does not inherently expose another.

Frontend Layer

Layer Control Set

Next.js web application hosted on Vercel with authenticated access via Supabase Auth.

  • TLS 1.2+ in transit for frontend-to-backend communication.
  • No customer investigation data stored at the edge.
  • Session handling via signed JWT tokens.

Investigation Backend

Layer Control Set

Dedicated UK-hosted compute tier used for evidence processing and investigation workflows.

  • Network-level allowlisting for backend access paths.
  • Mutual TLS, credentials, and OTP-based MFA for privileged access.
  • Layered filtering and route hardening to reduce direct-origin exposure.

Data Stores

Layer Control Set

PostgreSQL and ClickHouse data stores, each scoped to its function and secured independently.

  • AES-256 at-rest encryption for PostgreSQL data.
  • Row-level security with JWT-backed authorization checks.
  • Organization and investigation-level access boundaries enforced in database policy.

Control Families

Strand control statements are organized into practical implementation families used during security diligence.

Access Control

Controls governing privileged access to backend infrastructure and investigation data.

4 controls published

Data Protection

Controls focused on confidentiality, isolation, and residency of investigation data.

4 controls published

Infrastructure Security

Controls reducing exposure of backend services and protecting service perimeters.

4 controls published

Application Security

Identity, session, and API-layer controls in the application stack.

4 controls published

Operational Security

Monitoring, key management, and response-oriented operational controls.

4 controls published

View full controls library

Explore Trust Center Sections

Access public documentation, processor disclosures, and change history from the sections below.

Controls

Control families and implementation details.

Open section

Resources

Public trust and legal documentation.

Open section

Subprocessors

Third-party service providers and data scope.

Open section

FAQ

Technical buyer and security assurance FAQ.

Open section

Updates

Trust-center and policy change log.

Open section

Media

Security media and briefings.

Open section