Security & SOC 2

SOC 2 commitment

Srasta is committed to SOC 2 Type I attestation by Q1 2027 and SOC 2 Type II attestation by Q4 2027. Drata is our compliance automation vendor; auditor selection from Drata's partner network is finalized within two weeks of seed-close. The Type I audit period runs Q4 2026, with the Type I report issued in Q1 2027. The Type II observation period runs from Q1 2027 through Q3 2027, with the Type II report issued by end of Q4 2027. Until then, our SOC 2 Common Criteria controls matrix and architectural data-flow diagram are the operative evidence artifacts for buyer security review.

Last updated 2026-04-29 · Detailed roadmap, vendor matrix, budget bands, and timeline-anchored milestones: PDF.

The four anchor documents

For any security review, design-partner conversation, or auditor sniff test, these four documents are the canonical sources. All four are versioned in the public repo and updated as the platform evolves.

Architecture & data-flow

Single-page architecture diagram. What runs where, where customer data lives, what leaves the perimeter, trust boundaries explicitly labeled, failure modes documented.

Download PDF →

SOC 2 controls matrix

Every SOC 2 Common Criteria control (CC1–CC9) mapped to current Srasta implementation, evidence pointer, and a status flag (shipped / partial / planned). Honest — no over-claiming.

Download PDF →

Privacy policy

What Gandiva itself processes (license-server, support, marketing — narrow). What it does NOT process (everything else, by architecture). GDPR / UK GDPR / CCPA rights, sub-processors, retention.

View privacy policy → · PDF

CAIQ Lite

Pre-drafted CAIQ Lite responses across all 17 CCM domains. ~45 questions, honest answers, reproducible evidence pointers. Paste-ready when a buyer's security team sends their questionnaire.

Download PDF →

What Srasta does not do

No customer data leaves the perimeter. Operational telemetry (install events, feature-touch counts, error class counts) is sent to Gandiva by default, but contains counts and shapes only — never prompt content, response content, document content, audit-log content, or end-user identifiers. Operators can disable telemetry entirely with SRASTA_TELEMETRY=off.

No SaaS multi-tenancy. Each customer install is its own deployment.

No data-plane routing through Gandiva. Even with a third-party LLM provider, the request flows customer-network → provider directly.

No backup of customer data on Gandiva infrastructure. Backups land in the customer's own object store.

No automatic update channel. Operators decide when (and whether) to apply each release.

Srasta's security posture is the architecture.

SOC 2 commitment

The four anchor documents

Architecture & data-flow

SOC 2 controls matrix

Privacy policy

CAIQ Lite

What Srasta does not do

Contact