Back to homeSign in

Security & Trust

Last updated: 2026-04-17

Security is a first-class feature of Stride. This page summarises our controls and commitments. For an in-depth discussion, or to request our SOC 2 report / pen-test summary under NDA, email info@newlightai.com.

Encryption

TLS 1.2+ in transit. AES-256 at rest. Passwords hashed with bcrypt (cost 12). Secrets stored in Vercel Env / AWS Secrets Manager.

Access controls

Least-privilege access to production. MFA required for all production systems. Admin impersonation is logged and visibly flagged to users.

Compliance

SOC 2 Type I: in progress (target: Q3 2026). Annual third-party penetration test. GDPR-compliant data handling; DPA available on request.

Data residency

Data currently hosted in the United States. EU-only deployments available on the Enterprise plan.

Vendor management

All subprocessors reviewed and contractually bound to equivalent protections. Full list at /legal/subprocessors.

Resilience

99.5% uptime SLA target for Pro, 99.95% for Enterprise. Automated backups with point-in-time recovery. Quarterly restore drills.

Infrastructure

  • Application hosting on Vercel (SOC 2 Type II, ISO 27001).
  • Database on Neon (SOC 2 Type II, encrypted at rest with AES-256).
  • Rate-limit + cache via Upstash Redis.
  • Transactional email via Resend with SPF / DKIM / DMARC enforcement on newlightai.com.
  • Monorepo + CI/CD on GitHub with branch protection and required reviews.

Application security

  • All inputs validated with Zod schemas server-side.
  • Rich-text content sanitised before storage to prevent stored XSS.
  • CSRF-safe by default (same-site cookies, POST endpoints require JSON body).
  • Rate limiting on all authentication endpoints and global per-user API limits.
  • Dependency vulnerabilities scanned on every PR via GitHub Dependabot.
  • Secret-scanning on every commit via Gitleaks (.github/workflows/gitleaks.yml).
  • Content Security Policy and full security-headers suite via Next.js.

AI data handling

  • We do not use your content to train shared AI models.
  • Providers configured with zero-retention settings where available.
  • Every AI call attributes provider, model, and cost for auditability.
  • Per-workspace AI spend caps to prevent runaway usage.

Operational security

  • Sentry captures errors with PII redacted at source.
  • On-call rotation with PagerDuty for customer-impacting incidents.
  • Incident postmortems published within 5 business days on status.newlightai.com.
  • Access reviews on a quarterly cadence for all production systems.

Responsible disclosure

Security researchers welcome

If you believe you've found a security issue, please email info@newlightai.comwith a proof-of-concept. We acknowledge within 24 hours, patch critical issues within 7 days, and publicly credit researchers (if you'd like).

Full policy: security.txt

Contact