Russian hosting
Servers located in Russia. On request — specific data centers with confirmation.
A secure structure for large enterprises
On-premise deployment, SSO, base-level roles, change audit, scrypt passwords, protection against XSS, SQL injection and recursive automations.
Data
Where your data lives
Russian hosting by default. Closed perimeter — on request. Files in S3-compatible storage.
On-premise
Full installation in the customer's closed perimeter. Docker Compose or Kubernetes. No calls back to our servers.
Object storage
Files in S3-compatible storage (AWS, Cloudflare R2, MinIO, Backblaze). Customer's choice.
Backups
Scheduled database snapshots, point-in-time restore. Soft-delete with recovery is built in.
Access
Who can do what
Roles, SSO, API keys and audit — the standard set for enterprise use.
Base roles
owner / moderator / editor / viewer. Column hiding and row filtering by role.
SSO
SAML and OIDC on Business and above. Connect to your corporate IdP (Keycloak, Okta, AD).
API keys
Scoped: read-only, specific tables, specific operations. One-click rotation.
Change audit
Create, update, delete events — per record. 90-day retention, longer on request.
Application layer
Protection inside the product
What we do in code and infrastructure — concretely, no hand-waving.
Passwords
scrypt with salt, server-side verification. Timing-safe comparison. Never stored in plaintext.
Sessions
JWT in httpOnly cookies, sliding renewal. SameSite + CORS whitelist. No tokens stored in the browser.
CSP with per-request nonce
No unsafe-inline. XSS protection at the browser level.
Rate limiting
Server-side rate limiting via Redis. Auth: 20 requests per 15 minutes. API: 1000 per minute.
SQL injection
Parameterized queries. Whitelisted column identifiers. No SQL string concatenation.
Automation anti-recursion
10-run-per-minute cap per automation. Guards against accidental loops.
Compliance
Regulatory status
We're open about what's done and what's in progress.
152-FZ «On personal data»
The storage and processing architecture is aligned with the requirements. Certification is in progress.
ISO 27001
Internal policies and processes match the standard. Certification is scheduled.
FAQ
Common security questions
Where is the data physically stored?
On cloud servers in Russia. In on-premise mode — on your servers. We name the specific data center and provider on request, under NDA.
Are you 152-FZ compliant?
The architecture meets 152-FZ requirements for processing personal data inside Russia: servers and backups in Russian data centers, access logs preserved for regulator inspections, on-premise install possible in a secured customer perimeter. K2-class certification of the personal-data information system is in progress, targeted for end of 2026. Threat model and detailed architecture review — on request under NDA at security@strura.ru.
Do you have ISO 27001?
In progress. Internal policies and processes are aligned with the requirements. We'll inform customers separately as certification advances.
What if I accidentally deleted an important table?
No record is physically deleted — it's marked with deletedAt and moved to the trash. One-click restore. If the trash is emptied, we have backups from the last 30 days.
Is data encrypted in transit?
Yes, everything over TLS 1.2+. Clients below TLS 1.2 are refused. HSTS is enabled.
Is data encrypted at rest?
PostgreSQL databases and the S3 file storage are encrypted at disk level (AES-256). Backups use a separate key not accessible from the application. For on-premise install, encryption is configured against your HSM/KMS.
Can we restrict access to the base by IP?
Yes, on Business and above — IP whitelist over the corporate VPN or office network.
Security details — under NDA
On request we send the architecture, incident response procedure, role model and backup schedule.