Security
How we protect your data, in plain English. Read our Privacy Policy for the full legal-grade version.
Encryption
- In transit: every connection between your device, Strata's backend, and our vendors uses TLS 1.2+ (the Cloud Run default issues TLS 1.3 where supported).
- At rest — database: our Postgres database (Cloud SQL) is encrypted at rest with Google-managed keys.
- Passwords: stored only as bcrypt hashes (salted). We never see your plaintext password.
Location & live sharing
- Strata requests precise location only for an active tour or an SOS, and iOS prompts you before any access. We do not track your location in the background outside of a tour.
- Live position sharing is scoped to the members of the specific tour you're on, and stops the moment the tour ends or you leave it.
- An SOS shares your coordinates and status only with your companions and records an incident marker so help can locate you.
- Apple HealthKit data (if you grant it) stays on your device and is never uploaded to our servers.
Authentication
- Email + password sign-in with bcrypt.
- Sign in with Apple supported in the iOS app.
- Optional biometric (Face ID) / passcode gate before opening the app.
- Backend session JWTs expire after 30 days.
AI features (Anthropic)
- Route-safety analysis uses Anthropic's Claude models. Only the data needed to produce a verdict — route geometry and public conditions data — is sent. Your identity is not.
- Anthropic does not train its models on data submitted via the API. See Anthropic's Privacy Policy.
Hosting and access control
- Strata's backend runs on Google Cloud Run; the database is Google Cloud SQL Postgres. Both in the United States.
- Production secrets (encryption keys, API keys, database password) live in Google Secret Manager and are mounted into the running service at boot — never checked into source control.
- Production access is limited to authorized engineering staff and is logged via Google Cloud audit logging.
- The Strata server is a managed serverless instance; we don't run our own SSH-able machines.
What we don't do
- We do not sell your data. Ever.
- We do not share your data with advertisers or data brokers.
- We do not use your location or activity data to build advertising audiences.
- We do not set tracking cookies or run analytics pixels on this website.
- We do not track your location when you're not on a tour.
Incident response
If we discover a security incident affecting your data, we will notify affected users by email within 72 hours of confirming the incident, with a description of what happened, what data was involved, and what you should do (if anything). We log production access continuously to speed up forensic review.
Reporting a vulnerability
Found something concerning? Email security@highloop.co (or support@highloop.co if the former bounces). We respond to all good-faith reports within 5 business days. Please don't publish the details until we've had a chance to fix them.