Encryption at rest
All stored data encrypted with AES-256: documents, indexes, and backups.
Trust Center
Storia holds your drawings, correspondence, and claims evidence, some of the most sensitive data on a project. This page is the whole picture: how we encrypt it, who can reach it, where it lives, and exactly where we are on the road to SOC 2.
We're honest about where we are. Storia isn't SOC 2 certified yet: we're in active preparation. Rather than show badges we haven't earned, we show you the controls already in place and our timeline to certification.
Compliance & certifications
No overstated claims: just our real certification status, built on controls that are already running in production today.
Controls documented and being readied for an independent point-in-time audit.
Our controls are designed to run continuously, so proving them over time is the natural next step after Type I.
Security controls
Not aspirations: the controls protecting your project record right now. Filter by area, or see them all at once.
All stored data encrypted with AES-256: documents, indexes, and backups.
TLS 1.2+ (1.3 preferred) enforced on every connection; weak ciphers disabled.
Your data stays yours: full export on request, deletion on termination.
Single sign-on via your identity provider, so access follows your directory.
Granular roles scoped per record, mapped to project responsibilities.
MFA required for all internal and administrative access.
Deploys on AWS or Oracle Cloud (OCI), inheriting each provider's physical, network, and datacenter security.
Private networking and no direct public access to data stores.
Infrastructure health and dependency vulnerabilities watched 24/7.
Peer review, automated tests, and security checks gate every release.
Automated scanning of third-party packages with prioritized patching.
Third-party penetration testing is scheduled as part of our SOC 2 preparation.
Documented policies for access, data handling, and incident response.
A defined plan with owners and customer-notification commitments.
Your documents never train foundation models, ours or the provider's.
Inference runs under zero-retention, enterprise agreements with AI providers.
Data residency
Construction data often can't leave the jurisdiction. Because we're cloud-agnostic, running on AWS or Oracle Cloud, we can host your project record in the region and on the provider your contract demands.
Default for Canadian public-sector and infrastructure work with data-sovereignty terms.
For U.S.-based programs that require data to remain within the country.
Documents & resources
Some documents are public: grab them now. Others we share under NDA with prospective and current customers. Request access and our team will send them over.
A plain-language summary of how Storia protects your project record.
Request documentOur DPA covering data-processing roles, subprocessors, and data handling.
Request documentAvailable under NDA once our Type I audit completes. Request early access to be notified.
Request accessAvailable after our first penetration test engagement, shared under NDA.
Request accessCompleted CAIQ / SIG-style questionnaire for your procurement review.
Request accessContact
Whether you're reviewing Storia for a procurement, or you've found something we should know about, reach the right people directly.
Questions on our controls, residency, or documents for a vendor review: our team responds within two business days.
security@storiatechnologies.comFound a potential issue? Disclose it responsibly and we'll acknowledge, investigate, and keep you updated.
Responsible disclosureFAQ
Vendor review
Send us what your procurement or security review requires, and we'll respond quickly with the right documents and answers.