Free Trial

Main Pages

Home Pricing The Dashboard Contact

Resources

FAQs

Legal & Connect

Privacy Policy Terms of Service Security LinkedIn Book a Call
Security

Security & Data Protection

Last updated: February 28, 2026

We built The Dashboard by stÖkd on enterprise-grade infrastructure because your data deserves the same protections that Fortune 500 companies demand. This page explains exactly how we protect it.

Infrastructure & Encryption

Every layer of our stack runs on certified, audited infrastructure:

  • Data warehouse: Google BigQuery (GCP) — SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018
  • Application hosting: Netlify — SOC 2 Type II
  • Payments: Stripe — PCI DSS Level 1
  • Rate limiting: Upstash (Redis) — SOC 2 Type II

All data in transit is encrypted with TLS 1.2+. All data at rest is encrypted with AES-256 (GCP default). Credit card data never touches our servers — it goes directly to Stripe.

Client Data Isolation

Your data is logically isolated from every other client at the database level using BigQuery Row-Level Security (RLS). This is not application-level filtering — it is enforced by Google Cloud itself.

  • Every client gets a unique access identifier
  • Scoped credentials ensure queries only return your data
  • There is no "view all clients" mode — not even for administrators

Authentication & Access Controls

  • Passwords: Hashed with PBKDF2-SHA512 (100,000 iterations) with a unique random salt per account
  • Sessions: HMAC-SHA256 tokens stored in HttpOnly; Secure; SameSite=Strict cookies
  • OAuth: Official OAuth 2.0 flows for Meta and LinkedIn with read-only scoped permissions
  • Rate limiting: Distributed Redis-backed login throttling prevents brute-force attacks
  • Security headers: Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy

What We Do (and Don't Do) With Your Data

We process your data for one purpose: delivering your analytics. Full stop.

We will never:

  • Use your data to train or improve our AI models
  • Benchmark your performance against other clients
  • Share your data with third parties (except authorized sub-processors listed below)
  • Retain your data beyond the terms of your engagement

Under GDPR, stÖkd acts as a Data Processor. Under CCPA/CPRA, stÖkd acts as a Service Provider. You remain the Data Controller at all times.

Data Retention & Deletion

  • Active subscription: Data retained for the duration of your engagement
  • Post-engagement: Data flagged for deletion immediately
  • 90 days post-engagement: All data permanently and irreversibly deleted
  • Early deletion: Contact hello@stokesstrategy.com — completed within 30 days with written confirmation

Sub-Processors

These are the only third-party services that process your data:

  • Google Cloud Platform (BigQuery) — US — Data storage & processing
  • Netlify — US — Hosting & serverless functions
  • Upstash — US — Rate limiting
  • Stripe — US — Payment processing
  • Google Gemini AI — US — AI analysis

Compliance

  • GDPR: Ready — Data Processing Addendum (DPA) with Standard Contractual Clauses available on request
  • CCPA/CPRA: Ready — data deletion endpoint live
  • PCI DSS: SAQ A compliance via Stripe
  • SOC 2: Infrastructure-level via GCP + Netlify; platform-level certification planned at enterprise scale

Available Contracts

We're happy to execute the paperwork your legal team needs:

  • Terms of Service: Standard, accepted at signup (read here)
  • Master Services Agreement (MSA): Available on request for Audit + Retainer clients
  • Data Processing Addendum (DPA): Available on request, includes SCCs (Module Two) + CCPA certification
  • Statement of Work (SOW): Provided per engagement

Security Contact

Questions about our security practices? Found a vulnerability? We want to hear from you.

STOKD STRATEGY LLC
Email: hello@stokesstrategy.com
Response SLA: 2 business days