Security at Strand

Your experimental data is valuable. Here's how Strand protects it.

Data Isolation

Your data belongs to you, and only you. Isolation is built into the foundation of Strand.

  • Row-Level Security uses PostgreSQL's built-in policies to ensure queries can only access your data. Enforced at the database level, not just application code.
  • Per-request context establishes your identity before any database operations run. Even with connection pooling, your context stays isolated.
  • Defense in depth layers application-level checks on top of database policies. If one layer fails, another catches unauthorized access.

Infrastructure

Strand runs on infrastructure with strong security track records.

Database

Your data lives in Neon PostgreSQL, a modern serverless Postgres platform:

  • TLS 1.3 encryption for all connections
  • Automatic daily backups with point-in-time recovery
  • Isolated compute environments

Hosting

The application runs on Vercel, which maintains SOC 2 Type II compliance (an independent audit verifying security controls meet industry standards).

File Handling

Strand doesn't store your raw files. When you upload a CSV or Excel file, it's parsed in your browser. Only the extracted measurements are sent to the server. SHA-256 hashing detects duplicates and maintains data integrity.

Authentication

Modern authentication practices keep your account secure.

  • Server-managed sessions with automatic expiration.
  • Secure cookies with HttpOnly, Secure, and SameSite attributes to prevent common web attacks.
  • Password security with 8+ character minimum and bcrypt hashing (your actual password is never stored).
  • Email verification required for password resets.

Audit & Compliance

Traceability matters in bioprocess development. Strand has audit capabilities built in from day one.

  • Change logging records every create, update, and delete with who, when, and what.
  • Data provenance links every measurement back to its source file, import mapping, and transformations. You can always trace data to its origin.
  • Working toward formal compliance including 21 CFR Part 11 (FDA's electronic records standard) and SOC 2 Type II (independent security audit).

Roadmap

Security is never "done." Here's what's coming:

  • Encryption at rest with AES-256 for all stored data.
  • Two-factor authentication via TOTP (Google Authenticator, 1Password, etc.).
  • SSO integration with SAML 2.0 for enterprise identity providers (Okta, Azure AD, etc.).
  • Team workspaces with role-based access controls.
  • Read access logging for complete visibility into who viewed what.
  • Formal certifications including SOC 2 Type II and 21 CFR Part 11 validation.

A note on where things stand

Strand is early-stage, and so is its security posture. The fundamentals are solid, and I'm transparent about what's still on the roadmap. If you're in a highly regulated environment or need specific certifications, let's talk through your requirements.

Last updated: January 2026