This page gives a brief overview of security procedures that we follow building the Strapho company and product.

We understand the critical importance of information security in today's digital landscape and we prioritize and dedicate ourselves to our security measures by implementing industry-standard security best practices maintaining the highest standards.


Strapho does not share or sell any of your data with other sources. You can read more information about how seriously we take your privacy at


We use Amazon AWS S3 service and Vercel deployments to host our technical infrastructure and servers. Amazon AWS has PCI-DSS Level 1 Service Provider compliance, ISO 27001 certification, and SAS-70 Type II and SSAE16. Vercel has SOC 2 and GDPR Compliance globally.


Ongoing monitoring of system access logs and anonymized network traffic helps to detect and respond to potential security incidents, reducing the likelihood of customer data being compromised and increasing the reliability of our servers 24x7 All engineers are trained in incident response and are able to respond to them in a timely manner.


We process payments with Stripe who is a fully PCI-compliant service provider. They are certified with PCI DSS v3.2.1 compliance.

Strapho does not process or stay any payment information.

Development Process

We employ both internal and external testing and validation of our development process.

Our application and code is scanned for static and dynamic code vulnerabilities. All engineers receive training and guidance regarding best in industry level security practices.

Data encryption

Encryption of sensitive data helps to ensure that the data cannot be accessed or read by unauthorized parties. We work with Amazon AWS and encrypt and cache our database allowing customers to feel safe when using our product as it safeguards data when in transit or at rest.

How to report a vulnerability

You can report vulnerabilities by email to

Please provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

If you have followed the instructions above, we will not take any legal action against you in regard to the report We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission We will keep you informed of the progress towards resolving the problem In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise) We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.


If you have questions or have found a suspected vulnerability, you can contact us at