Version 1.0 | December 17th, 2024
At Straum, security is not an afterthought—it's the foundation of everything we build. Our capital raise orchestration platform is designed with a security-first approach, ensuring that sensitive investment data and communications are protected by multiple layers of defense.
This whitepaper outlines our comprehensive security architecture, practices, and protocols. We believe in transparency and want our users to understand exactly how we protect their information.
• Deterministic - Predictable, verifiable state transitions
• Private - Your data belongs to you alone
• Secure - Industry-standard encryption and protection
• Transparent - Open about our security practices
• Compliant - Adherence to financial industry standards
Straum employs a multi-layered security architecture designed to protect against various threat vectors while maintaining high performance and availability.
We implement a zero-trust security model where no user or system is trusted by default. Every request is authenticated, authorized, and encrypted regardless of origin.
Each firm's data is processed in isolated environments with strict access controls. Deal data, investor information, and communications are cryptographically separated and cannot be accessed by other organizations.
Our system maintains a complete audit trail of all state transitions. Every action is logged, timestamped, and immutable, ensuring full transparency and accountability throughout the capital raise process.
We employ industry-leading encryption standards to protect your data at every stage of its lifecycle.
AES-256 encryption
Hardware security modules (HSM)
Encrypted database storage
Secure key management
TLS 1.3 protocol
Perfect forward secrecy
Certificate pinning
Encrypted API communications
All encryption keys are managed through a secure key management system with the following features:
We implement strict access control measures to ensure that only authorized individuals can access sensitive systems and data.
All user accounts and administrative access require multi-factor authentication. We support hardware tokens, authenticator apps, and biometric authentication.
Access permissions are granted based on the principle of least privilege. Users receive only the minimum access necessary to perform their duties.
Our infrastructure is hosted in secure, certified data centers with multiple layers of physical and digital security.
We utilize enterprise-grade cloud infrastructure with:
Our email infrastructure includes:
We follow secure development practices including:
We maintain 24/7 security monitoring to detect and respond to potential threats in real-time.
Our systems continuously monitor for:
• Unauthorized access attempts
• Unusual data access patterns
• Email security threats
• Data integrity violations
• System anomalies
• Failed authentication attempts
• Configuration changes
• API security events
All system activities are logged and retained for forensic analysis. Logs include user actions, system events, and security-related activities. Logs are encrypted, tamper-proof, and retained for a minimum of 1 year.
We integrate threat intelligence feeds to stay informed about emerging threats and vulnerabilities, allowing us to proactively protect our systems.
We maintain a comprehensive incident response plan to quickly identify, contain, and remediate security incidents.
Automated systems and SOC analysts identify potential security incidents
Incident severity is evaluated and response team is activated
Immediate actions taken to isolate and contain the incident
Root cause is identified and eliminated from systems
Systems are restored to normal operation with enhanced security
Lessons learned are documented and security measures are improved
In the event of a security incident that affects customer data, we will notify affected parties within 72 hours in accordance with applicable regulations. Notifications will include details about the incident, affected data, and steps being taken to address the situation.
Straum maintains compliance with relevant industry standards and regulations to ensure the highest level of security and privacy protection.
We adhere to industry standards for handling sensitive financial information and investor data.
Our practices align with GDPR requirements for data protection and privacy.
We comply with California Consumer Privacy Act requirements for data handling and user rights.
All legal documents and signatures are processed through certified third-party providers with industry-standard security.
We conduct regular security assessments to identify and address potential vulnerabilities.
We conduct regular security assessments to identify and address potential vulnerabilities in our systems.
Automated vulnerability scans run continuously across our infrastructure, with critical vulnerabilities addressed promptly.
All code changes undergo security review to ensure adherence to secure coding practices and industry standards.
Our employees are our first line of defense. We invest heavily in security training and awareness.
All employees undergo comprehensive background checks before being granted access to systems.
Mandatory security awareness training is conducted during onboarding and quarterly thereafter, covering topics like phishing, social engineering, and secure coding practices.
Employee access rights are reviewed quarterly to ensure they remain appropriate for their role.
If you have security concerns or wish to report a vulnerability, please contact our security team immediately:
We appreciate responsible disclosure and will work with security researchers to address any legitimate vulnerabilities.