Beta Security Whitepaper · v1.0 · May 2026

StratumBase Security Whitepaper

StratumBase is a privilege-preserving AI document platform built for transactional and regulatory legal practice — diligence rooms, lender questionnaires, multi-state compliance audits, and matter-bound research. Customer document content never reaches a third-party AI provider. The architecture is HIPAA-capable for healthcare-adjacent legal work and supports a Business Associate Agreement (BAA) chain on request. This document summarizes our current security posture for procurement and information-security review.

Architecture at a glance

[ Client browser ] │ HTTPS / TLS 1.2+ ▼ [ Web service — Railway ] ── auth: Microsoft / Google OAuth, API keys │ ── HSTS, X-Frame-Options DENY, X-Content-Type nosniff ├──► [ Accounts DB ] (tenants, users, encrypted OAuth tokens) ├──► [ Per-tenant DB ] (one Postgres database per customer) ├──► [ Corpus DB ] (shared regulatory/statute corpus, no PHI) ├──► [ Worker service ] (DB-queue handoff; no direct RPC) ├──► [ Self-hosted Ollama ] — chat inference, our GPU pod └──► [ Self-hosted vLLM ] — worker inference, our endpoint ✗ No path to OpenAI, Anthropic, Cohere, or any third-party LLM API.

Three databases separate concerns: an accounts DB for identity, a dedicated Postgres DB per tenant for matter content, and a shared regulatory corpus DB that never holds client data.
Ingestion runs on a worker process and pulls from SharePoint and Google Drive over OAuth-scoped HTTPS; bytes are chunked, embedded, and indexed inside the tenant's database.
Inference runs on GPU pods we operate. No customer prompt or chunk is sent to a hyperscale LLM API.

Encryption

At rest: Sensitive columns are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) via a SQLAlchemy type decorator that encrypts on write and decrypts on read. Encrypted columns include chunk content, original document bytes, chat steps, OAuth tokens, citation text, and document insights.
In transit: TLS 1.2+ at the Railway edge and on internal connections to managed Postgres and inference pods. HSTS is set with a long max-age and preload.
Key management: A single platform encryption key is held as a Railway secret, separate from the database. Database-only compromise yields ciphertext, not cleartext. Tenant-database connection URLs are themselves Fernet-encrypted at rest.
Roadmap: per-tenant key derivation (HKDF) and operational key rotation are designed and tracked but not yet shipped — see Roadmap & transparency.

Tenant isolation

Each customer is provisioned a physically separate Postgres database. The application resolves a tenant identifier to a database connection at request time and routes all queries to that database. A bug that omits an in-query tenant_id filter cannot leak data across customers because the database itself is different. As defense-in-depth, every per-tenant table also carries a tenant_id column and queries filter on it.

No third-party LLM exposure

This is the load-bearing claim of our security model and the reason regulated practices choose us. There is no code path from StratumBase to OpenAI, Anthropic, Cohere, or any other third-party AI provider. Chat inference uses self-hosted Ollama on our GPU pod; background inference uses self-hosted vLLM on our endpoint; embeddings are computed locally. Customer document content, queries, and intermediate reasoning steps never leave infrastructure we operate.

Audit logging

Document access, search queries, citation crops, file downloads, authentication events, owner-level tenant switches, and OAuth grants/refreshes/revocations are recorded to append-only audit tables. Database-level triggers reject UPDATE, DELETE, and TRUNCATE against audit tables so the trail cannot be silently rewritten. Owner-initiated tenant switches require a categorized reason for emergency-access review.

Session controls

15-minute idle session timeout.
User-active state is re-checked on every message, not only on OAuth re-validation.
Programmatic API keys are stored as HMAC-SHA256 with a server-side secret and carry an explicit expiry timestamp.
OAuth refresh tokens are encrypted at rest and rotated with compare-and-set protection against replay.

HIPAA posture

StratumBase is HIPAA-capable — our infrastructure providers (Railway, RunPod) are HIPAA-eligible and a BAA chain is available on request to support healthcare-adjacent legal matters. We are not currently operating under signed BAAs as a default standard for every beta customer; cost and complexity of full operational HIPAA mode are deprioritized until a healthcare-anchor customer engages. The technical safeguards (encryption, access control, audit, transmission security) are in place today; the administrative paperwork is on-demand.

Beta posture

StratumBase is in beta. Customers should expect that features, accuracy, and pricing may change as the product matures, and that availability targets are not yet underwritten by a paid SLA. What does not change in beta: our privacy and security commitments. Encryption, tenant isolation, audit logging, and the no-third-party-LLM architecture are not softened by beta status.

Roadmap & transparency

The following items are designed and tracked but not yet shipped. We list them explicitly because procurement teams should know what we have not done as well as what we have:

Per-tenant HKDF-derived encryption keys (today: one platform key across tenants).
Third-party penetration test (planned before first enterprise customer).
SOC 2 Type II attestation (planned after third paying customer).
Operational key-rotation runbook with versioned key prefixes.
Hard-delete of soft-deleted chat content for full deletion requests.
Customer-managed keys / key escrow (enterprise tier; not on the beta roadmap).

We treat this list as part of the security posture, not a marketing omission. Honesty about what isn't done yet is how we earn the trust required to handle privileged matter content.

Contact

For BAA requests, vendor questionnaires, security review calls, or to request the canonical PDF version of this document, contact hello@stratumbase.ai.