Trust, by construction.
Strathon is a security product, built to be inspected. It's open source (you can read every line) and it ships the controls security teams expect.
Encryption
TLS in transit; encryption at rest. MFA secrets encrypted with a dedicated key.
Authentication
Argon2id password hashing, optional TOTP MFA, login rate limiting, configurable session TTL.
Signed audit log
Append-only audit trail with an HMAC hash chain, tamper-evident by design.
Access control
Role-based access control with scoped API keys and least-privilege defaults.
Compliance evidence
EU AI Act evidence export (Articles 9–15, 19) and NIST AI RMF risk scoring built in.
Coordinated disclosure
A clear path to report vulnerabilities, with acknowledgement and remediation.
Compliance
We are building toward formal attestations such as SOC 2 as the managed cloud matures. None are certified yet, and we will say so plainly until they are. What exists today is concrete: Strathon supports customer compliance with the GDPR (via the DPA and data export/deletion), provides EU AI Act evidence export aligned to Articles 9–15 and 19, and includes NIST AI Risk Management Framework risk scoring. HIPAA BAAs and data residency are planned for Enterprise when the managed cloud launches.
Reporting a vulnerability
We welcome coordinated disclosure. If you believe you've found a security issue, email security@getstrathon.com with details and reproduction steps. Please do not publicly disclose until we've had a reasonable opportunity to remediate. We will acknowledge your report, keep you updated, and credit you if you wish.
Please do not run intrusive scans against the managed cloud; test against a self-hosted instance instead.
Supply chain
Releases are published to PyPI. We pin dependencies, run static security analysis (Bandit) in CI, and keep the dependency surface small. Because the project is open source, the full build is auditable.