Strum Security
Strum works with sensitive financial records, so this page explains what data we protect, which providers are involved, what limits apply and how to report a security issue.
At a glance
- Strum is not a broker, bank or investment adviser and does not execute trades on behalf of users.
- Full payment card details are not stored in Strum; payments are processed by WayForPay.
- The Strum backend is hosted on Hetzner infrastructure; database and authentication are provided through Supabase.
- Broker connections, when enabled by the user, run through Plaid. Strum receives permissioned portfolio data, not broker passwords directly.
- Google Analytics, Microsoft Clarity and Meta Pixel load only after separate consent for optional cookies.
1. Data Strum protects
Users may store portfolios, assets, transactions, broker imports, budgets, financial goals, notes, account settings and subscription history in Strum. This data is used to operate the service, perform calculations, provide analytics, support users and maintain security.
Strum does not store full payment card numbers and does not ask users to enter broker passwords directly into Strum.
2. Authentication and access
- Sign-in and sessions use Supabase Auth and supported OAuth/OTP flows.
- The public frontend uses only browser-intended public keys; secret server keys must not be exposed in client code.
- Access to user data should be limited through API authorization, database controls and server-side checks.
- Users are responsible for securing their email, devices, browser and account access.
3. Data, database and infrastructure
Strum uses Supabase for part of its database and authentication stack, and the Strum backend is hosted on Hetzner infrastructure. Supabase platform data is encrypted at rest with AES-256 and in transit with TLS; Supabase has SOC 2 Type 2 and ISO 27001. Hetzner has ISO/IEC 27001:2022 for data center infrastructure, operations and support.
Strum has not completed its own SOC 2 or ISO certification. We rely on provider infrastructure with relevant security controls and remain responsible for our own code, configuration, secrets, access controls and operational processes.
4. Broker sync through Plaid
When a user enables broker sync, Strum uses Plaid to connect to supported financial institutions. Plaid works with permissioned access, encrypted APIs, user-controlled connections and standards including ISO 27001, ISO 27701 and SSAE18 SOC 2.
Depending on the institution, Plaid connections may use OAuth/API or another Plaid flow. Strum does not see the broker password directly in the Strum interface; Strum receives data the user allowed Plaid to share, such as positions and transactions.
5. Payments
Subscriptions are processed by WayForPay. WayForPay supports 3-D Secure, PCI DSS, HTTPS and TLS for payment data transmission. Strum receives payment status, plan and service attributes, but does not store full card details.
6. Bot and abuse protection
Strum uses Cloudflare Turnstile on authentication forms to distinguish humans from automated traffic and reduce spam, credential stuffing and other abuse risks.
Turnstile processes minimal signals needed for bot detection, including IP address, TLS fingerprint, User-Agent, sitekey and origin.
7. Analytics, cookies and marketing tags
Optional Google Analytics, Microsoft Clarity and Meta Pixel tags are not required for account security and load only after the user grants cookie consent. If consent is rejected, Strum does not load the GTM container and attempts to clear known analytics cookies.
8. Account deletion and backups
Strum includes an account deletion button. After deletion starts, Supabase removes the email from the user auth record, and Strum account data is anonymized.
Some technical and financial records can remain in the production database for a limited period until full deletion by a scheduled cron job. Data can also temporarily remain in backups until the backup retention period ends. After account deletion, this data is not used for active account operation.
If a user uses Plaid, access to the financial institution can also be revoked through available Plaid tools or on the financial institution side where supported.
9. Report an incident
If you notice a vulnerability, abuse or suspicious activity in your account, contact strum.yuinvest@gmail.com. Include the page, reproduction steps, event time, screenshots or other details, but do not send passwords, secret keys or full card details.