Security isn't a feature. It's the foundation.
Every release of STRATUS AccessGov passes through 2,042 deterministic security gates before it ships. Every policy decision is hash-chained and locked into immutable storage. Every connection between us and your environment is outbound-only mTLS.
This is what we mean by hardened governance for complex reality.
Marketing claims aren't trust signals. Numbers your auditor can verify are.
Most IGA vendors are deliberately vague about what data leaves your environment. We're not.
NIST 800-53 Control Alignment PDF
Technical alignment only. Not certification. Final control satisfaction depends on customer configuration, operating procedures, and shared responsibility.
| Data Type | Stored by STRATUS? | Encrypted? | Retention | Customer Control |
|---|---|---|---|---|
| Identity Metadata | Yes | AES-256 | Configurable | BYO-KMS Integration |
| Passwords / Secrets | NEVER | N/A | N/A | Pass-through Only |
| Access Decisions | Yes | AES-256 | 7-Year Option | Immutable Export |
| Audit Logs / Evidence | Yes | SHA-256 chained | 7-Year Option | S3 Object Lock (Compliance Mode) |
Every vendor lists what they can do. Almost none list what they refuse to do. These are the design constraints we hold even when a feature request asks us to break one.
The Hybrid Connectivity Gateway only dials out. There is no listener. There is no VPN. There is no firewall change request. If you need an architecture that opens an inbound listener to operate, we are not your platform.
Credentials pass through and are not retained. We do not have a vault for your secrets. We integrate with HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault — we never become the source of truth for the secrets themselves.
STRATUS is a governance layer that sits alongside Okta, Entra, Ping, and ForgeRock. Your IdP remains your IdP. We govern access decisions, run certifications, automate offboarding, and produce evidence — we do not authenticate users.
No revoke fires without a customer-configured approval policy. Two-person approval for elevated revokes is the default. The blast radius is yours to define.
Every closed-loop revoke issues a cryptographic rollback receipt — a signed record of what was revoked, the policy decision path, and the prior entitlement state. The receipt is valid for 24 hours after execution.
What the receipt guarantees: the policy state is reversible — STRATUS will not have written a permanent denial record, and the original entitlement request can be re-issued without a new approval cycle.
What it does not guarantee: full automated restoration of state across every target system. Some targets (AD, Okta, AWS IAM) support full programmatic re-grant via the same API path. Others (PeopleSoft revokes that crossed an ERP-side workflow, custom legacy revokes) require manual restoration following the documented receipt. The receipt tells the operator exactly which targets are auto-reversible and which require manual steps — captured in the Evidence Pack for audit.
Buyers performing security review always ask three questions about evidence: who owns the storage, who owns the keys, how do we export. Here are the precise answers.
Recommended: customer-owned S3 bucket in customer's AWS account with Object Lock in Compliance Mode and a 7-year retention policy. STRATUS writes Evidence Packs via cross-account assume-role with write-only permission. You own the evidence end-to-end.
Default for design partners: STRATUS-managed bucket in our us-west-2 account with Object Lock, until customer-owned bucket is provisioned during Days 1–7 of the POC.
BYO-KMS supported: Evidence Packs encrypted with customer-managed CMK in the customer's KMS. STRATUS holds only assume-role permission to encrypt; never to decrypt outside of customer's audit access path.
Key rotation: automatic annual rotation supported. Historical Evidence Packs remain readable under their prior key version (KMS key-version metadata embedded in each pack).
PDF (auditor-ready): formatted Evidence Pack with SHA-256 hash, prev_hash, KMS signature, timestamp, actor, decision path, revoke result. Letter-sized, white-background, printable.
JSON (machine-readable): raw event for SIEM ingestion, GRC integration, or external chain verification.
Raw hash + chain proof: minimal artifact for independent third-party verification — verify chain integrity without STRATUS infrastructure.
Trust-by-vibe is what got the industry into this mess. Each of these artifacts is available to qualified Founding Partner prospects under NDA, requested via the security contact. They are not vapor — they describe what STRATUS actually does today.
Real revoke event from the lab environment. SHA-256 hash, prev_hash, KMS signature, timestamps, actors, decision path. Customer-identifying fields redacted.
Request PDF →
Per-system breakdown with API approach, auth model, known limitations, and POC-validation status. PDF version of the on-page matrix with footnotes.
Request PDF →
Category breakdown (SAST, dependency, secrets, IaC, license, behavioral, build provenance), pass/fail telemetry, framework mapping. Sanitized CI screenshot included.
Request PDF →
FY2025 47-enterprise study methodology (sample, sectors, definitions). Lab measurement methodology (AD/Okta/AWS, HR event → sealed evidence). Production-timing caveats.
Request PDF →
The specific criteria a Founding Partner POC must meet to count as successful: connectors connected, ghost-account report delivered, simulated revoke validated, first live closed-loop revoke executed, signed Evidence Pack delivered.
Request PDF →
For federal evaluators: NIST 800-53 Rev. 5 control mapping, FIPS 140-3 cryptographic boundary documentation, SSP outline, FedRAMP alignment status (not authorized — alignment).
Request PDF →
All artifacts are requested by email to [email protected] and delivered under NDA within one business day. We do not publish these as public downloads because they contain enough specificity that competitors would scrape them. Founding Partner prospects get them on first scoping call.
Vaporware is the silent killer of IGA evaluations. Here's exactly where each connector sits — Discover, Certify, Revoke, Evidence — and the production-readiness status next to it.
| Target System | Discover | Certify | Revoke | Evidence | Status |
|---|---|---|---|---|---|
| Active Directory | Yes | Yes | Yes | Yes | AVAILABLE NOW |
| Okta | Yes | Yes | Yes | Yes | AVAILABLE NOW |
| AWS IAM | Yes | Yes | Yes | Yes | AVAILABLE NOW |
| Workday | Yes | Yes | Partial / workflow | Yes | AVAILABLE NOW |
| Entra ID · Azure AD | Yes | Yes | Yes | Yes | PRIVATE BETA |
| GCP IAM ¹ | Yes | Yes | Yes | Yes | AVAILABLE NOW |
| Salesforce · GitHub · Snowflake | Yes | Yes | Yes | Yes | AVAILABLE NOW |
| ServiceNow | Yes | Workflow | Workflow | Yes | PRIVATE BETA |
| PeopleSoft | Yes | Partial | Partner dependent | Yes | PRIVATE BETA |
| Oracle EBS · SAP | Yes | Partial — stub | Partner dependent | Yes | PRIVATE BETA Discover: stub validation |
| RACF / Mainframe | Planned | Planned | Planned | Planned | ROADMAP |
¹ GCP IAM real-time mode requires GCP credentials configured in the HCG. Heuristic fallback mode is active by default and does not require credentials.
A "secure platform" you can't audit isn't secure. Every commit to STRATUS currently passes through 2,042 deterministic CI gates before it reaches your environment — designed for high-density governance without administrative overhead. The CI gate summary report — including gate categories, pass/fail telemetry, and the specific framework checks each gate enforces — is available under NDA as part of a security review. "Deterministic" matters here: these aren't ML probability calls, they're code rules with binary pass/fail outcomes auditors can read.
Every commit is scanned for known vulnerabilities, dependency CVEs, leaked credentials, and licensing issues. Build fails on critical findings — no human override available.
Every container is scanned, signed, and shipped with a software bill of materials. No unsigned images reach production.
All cloud infrastructure is defined as code, scanned for misconfigurations, and continuously validated against drift.
The gates don't stop at deploy. Every running pod is continuously verified against the security baseline.
When the auditor asks "prove the revoke happened" — this is the document that lands in their inbox. SHA-256 hash chain, S3 Object Lock storage, NIST 800-53 mapping, and a redacted sample available for download below.
Figure 5 · MockupSample Evidence Pack rendered for an auditor — fields and hashes representative; a redacted production PDF is available on request and includes the full prev_hash / sha256 chain with KMS signatures.
We're a small team building toward enterprise readiness. Below is exactly where we are across each major framework — including the ones we don't have yet. Your procurement team will thank us for the candor.
Important distinction: "FedRAMP-Aligned" means our infrastructure meets the Moderate baseline controls. "FedRAMP Authorized" means an ATO has been issued. We are aligned. We are not authorized. If FedRAMP Moderate ATO is required for your year-one purchase, that's an honest signal that we're not the year-one platform.
If you've found a security issue in STRATUS AccessGov, we'd rather hear it from you than read about it later. Here's how the program works.
Production STRATUS AccessGov instances, the Hybrid Connector Gateway, our public APIs, and stratusaccessgov.com. Out of scope: social engineering, physical attacks, denial of service.
Good-faith research conducted under this program is authorized. We won't pursue legal action against researchers who follow the program rules and disclose responsibly.
We acknowledge within 24 hours, triage within 72 hours, and target patch release within 30 days for high-severity findings. Critical findings get same-day attention.
Encrypted disclosure: [email protected] · PGP key on request · Full disclosure policy →
Run the 30-Day Proof of Revoke. Connect your real HR + identity + one or two target systems through the HCG. Watch ghost access surface, evidence packs seal, connectors dial out — closed-loop revoke executed by Day 30 or you walk.
Due Diligence Room
Compliance documentation, architecture evidence, legal agreements, and security artifacts — in one place. Status reflects what is available today, what requires a signed NDA, and what is on the roadmap.
Documents marked "POC / NDA" are available to Founding Partners during the 30-Day Proof of Revoke or under a signed NDA. Contact [email protected].