Security & Data Residency

Your data, your region.

Strova is headquartered in Singapore and operates across the Asia-Pacific region. Data is stored in Australia by default, with Singapore also available. Enterprise plans can specify their own residency region to meet local compliance requirements.

🇦🇺

Australia

australia-southeast2 · Melbourne

The default region for all Strova workspaces. Your database, file storage, and server-side processing run entirely within Australia and do not leave the country during normal operation.

🇸🇬

Singapore

asia-southeast1 · Singapore

Strova's headquarters region. Available as a native residency option for teams operating primarily out of Singapore or requiring data to remain within Singapore's jurisdiction.

⚙️

Your region

Enterprise plans

Enterprise customers can specify their own data residency region to satisfy local compliance, regulatory, or contractual requirements. Supported regions span Google Cloud's global infrastructure.

How we protect your data

Six layers of protection

Encrypted at rest

All database records and uploaded files are encrypted at rest using AES-256, managed by Google Cloud. No additional configuration required — it is on by default for every byte stored.

Encrypted in transit

All traffic is served exclusively over HTTPS. HTTP connections are not accepted. HSTS is enforced with a one-year max-age, including subdomains, preventing any unencrypted access.

Role-based access control

Access is enforced at the database layer — not just the UI. Every read and write is checked against the requesting user's role. Unauthenticated access to any data is not possible.

Tenant isolation

Every workspace is isolated at the database rules layer. A user in one organisation cannot access another organisation's projects, documents, or correspondence — regardless of any application-level logic.

Audit trail on every record

All major records — defects, documents, RFIs, actions, correspondence — maintain a full audit log of every state change: who made it, when, and what changed. This log cannot be edited by users.

No analytics or tracking

Strova contains no third-party analytics, ad trackers, or behavioural profiling tools. No data is shared with advertising networks. Interest-cohort tracking (FLoC) is explicitly disabled.

Access control

Who can see what

Strova uses three user roles per project. Permissions are enforced server-side — changing the URL or API request cannot bypass them.

Project Admin
Full read and write access to all project data. Can manage members, export records, and configure project settings.
Project Member
Read and write access scoped to their company's records within the project. Cannot view other companies' internal notes or private correspondence.
Client
Read access to all project records shared with them. Write access limited to their own company-scoped submissions.
Unauthenticated
✕ No access  No data is readable without a valid authenticated session. All API paths require authentication.
Infrastructure

Built on Google Cloud Platform

Strova runs entirely on Firebase and Google Cloud services. Google holds the following certifications relevant to enterprise and government customers across the Asia-Pacific region.

ISO/IEC 27001
Information security management systems
ISO/IEC 27017
Cloud-specific security controls
ISO/IEC 27018
Protection of personal data in the cloud
SOC 1 / 2 / 3
Service organisation controls, independently audited
IRAP Assessed
Australian Government Information Security — assessed for australia-southeast regions
PCI DSS
Payment card industry data security standard
CSA STAR
Cloud Security Alliance — Level 2 certified
FedRAMP
US Federal Risk and Authorisation Management Program

Google Cloud's full compliance documentation is available at cloud.google.com/compliance

Browser security

Security headers on every response

Every response from app.strovapi.com includes the following HTTP security headers, applied at the hosting layer — they cannot be bypassed by application code.

Header Purpose
Strict-Transport-Security Enforces HTTPS for 1 year across all subdomains. Preload-eligible — major browsers will never attempt an unencrypted connection.
Content-Security-Policy Restricts which scripts, styles, and resources can load. Inline scripts from unknown sources are blocked. Framing is denied entirely.
X-Frame-Options DENY — the application cannot be embedded in an iframe on any external site, preventing clickjacking attacks.
X-Content-Type-Options nosniff — browsers cannot override the declared content type, preventing MIME-sniffing attacks.
Referrer-Policy strict-origin-when-cross-origin — limits referrer information sent to external sites.
Permissions-Policy Microphone, geolocation, and interest-cohort tracking are explicitly disabled. Camera access is restricted to the application itself.
Quick reference

Data & infrastructure summary

Default data region
australia-southeast2 — Melbourne, Australia
Available regions
australia-southeast2 Australia  ·  asia-southeast1 Singapore
Enterprise residency
Enterprise plans can select any supported Google Cloud region. Contact us to configure a custom residency requirement.
Database
Google Cloud Firestore — stored in the workspace's configured region
File storage
Google Cloud Storage — stored in the workspace's configured region
Server functions
Google Cloud Functions — co-located with the database in the same region
Authentication
Firebase Authentication — Google-managed identity service
Encryption at rest
AES-256 — Google Cloud platform default, applied to all data
Encryption in transit
TLS — enforced via HSTS, one-year max-age, preload eligible
Email delivery
SendGrid — transactional notifications only. No marketing data or behavioural tracking is shared.
Third-party analytics
None  No analytics, ad trackers, or profiling tools are present in the application.
Penetration testing
Available on request for enterprise engagements. Contact us to discuss.

Questions about your specific requirements?

Enterprise deployments, government projects, and clients with specific compliance obligations — talk to us directly.

Contact the team → See platform features