Skip to main content

Trust Center

Every answer is traceable. So is our security.

Storia holds your drawings, correspondence, and claims evidence, some of the most sensitive data on a project. This page is the whole picture: how we encrypt it, who can reach it, where it lives, and exactly where we are on the road to SOC 2.

Request documents

We're honest about where we are. Storia isn't SOC 2 certified yet: we're in active preparation. Rather than show badges we haven't earned, we show you the controls already in place and our timeline to certification.

Security posture · liveENV · PROD
EncryptionAES-256 at rest · TLS 1.2+ in transitActive
Access controlSSO · role-based · least privilegeEnforced
Audit trailEvery record action logged · tamper-evidentRecording
MonitoringInfra & dependency scanning24/7
BackupsEncrypted · point-in-time recoveryHealthy
SOC 2 Type I · in preparationChecked just now

Compliance & certifications

Exactly where we stand.

No overstated claims: just our real certification status, built on controls that are already running in production today.

In preparation

SOC 2 Type I

Controls documented and being readied for an independent point-in-time audit.

Actively in preparation
Planned

SOC 2 Type II

Our controls are designed to run continuously, so proving them over time is the natural next step after Type I.

Continuous-controls foundation in place

Security controls

What's running in production today.

Not aspirations: the controls protecting your project record right now. Filter by area, or see them all at once.

All 16 controlsLive in productionScheduled
Active
Data protection

Encryption at rest

All stored data encrypted with AES-256: documents, indexes, and backups.

Active
Data protection

Encryption in transit

TLS 1.2+ (1.3 preferred) enforced on every connection; weak ciphers disabled.

Active
Data protection

Data ownership & export

Your data stays yours: full export on request, deletion on termination.

Active
Access & identity

SSO / SAML

Single sign-on via your identity provider, so access follows your directory.

Enforced
Access & identity

Role-based access

Granular roles scoped per record, mapped to project responsibilities.

Enforced
Access & identity

Multi-factor auth

MFA required for all internal and administrative access.

Active
Infrastructure

Cloud-agnostic hosting

Deploys on AWS or Oracle Cloud (OCI), inheriting each provider's physical, network, and datacenter security.

Active
Infrastructure

Network isolation

Private networking and no direct public access to data stores.

Active
Infrastructure

Continuous monitoring

Infrastructure health and dependency vulnerabilities watched 24/7.

Active
App security

Secure SDLC

Peer review, automated tests, and security checks gate every release.

Active
App security

Dependency scanning

Automated scanning of third-party packages with prioritized patching.

Scheduled
App security

Penetration testing

Third-party penetration testing is scheduled as part of our SOC 2 preparation.

Active
Organizational

Security policies

Documented policies for access, data handling, and incident response.

Active
Organizational

Incident response

A defined plan with owners and customer-notification commitments.

Enforced
AI & data use

No training on your data

Your documents never train foundation models, ours or the provider's.

Active
AI & data use

Enterprise AI terms

Inference runs under zero-retention, enterprise agreements with AI providers.

Data residency

Your record lives where your contract requires.

Construction data often can't leave the jurisdiction. Because we're cloud-agnostic, running on AWS or Oracle Cloud, we can host your project record in the region and on the provider your contract demands.

CanadaCentral Canada

Canada region

Default for Canadian public-sector and infrastructure work with data-sovereignty terms.

United StatesEast / West

U.S. regions

For U.S.-based programs that require data to remain within the country.

Provider and region are set at onboarding and changed only at your request.

Documents & resources

Read the details, or request the rest.

Some documents are public: grab them now. Others we share under NDA with prospective and current customers. Request access and our team will send them over.

Public

Security overview

A plain-language summary of how Storia protects your project record.

Request document
Public

Data Processing Addendum

Our DPA covering data-processing roles, subprocessors, and data handling.

Request document
On request

SOC 2 report

Available under NDA once our Type I audit completes. Request early access to be notified.

Request access
On request

Penetration test summary

Available after our first penetration test engagement, shared under NDA.

Request access
On request

Security questionnaire

Completed CAIQ / SIG-style questionnaire for your procurement review.

Request access

Contact

Talk to us about security.

Whether you're reviewing Storia for a procurement, or you've found something we should know about, reach the right people directly.

Security & procurement

Questions on our controls, residency, or documents for a vendor review: our team responds within two business days.

security@storiatechnologies.com

Report a vulnerability

Found a potential issue? Disclose it responsibly and we'll acknowledge, investigate, and keep you updated.

Responsible disclosure

FAQ

Common questions.

Not yet, and we won't say otherwise. We're in active preparation for a SOC 2 Type I audit, with the underlying controls (encryption, access control, audit logging, monitoring) already running in production. Type II is the planned next step. Request early access above to be notified when the report is available.

Vendor review

Get the documents your team needs.

Send us what your procurement or security review requires, and we'll respond quickly with the right documents and answers.

Trust & Security: How Storia Protects Your Record · Storia