Security

No keys. No signing. No custody.

We cannot move your funds. We cannot sign anything on your behalf. We do not request, store, or transmit private keys, seed phrases, or signing material. There is no path through Stride to your assets.

Supported chains (v0.13)

Stride supports Ethereum, Solana, Bitcoin, Polygon, Base, and Arbitrum. EVM chains share the same Alchemy data path — adding a new EVM chain in future is a code change, not an architectural one.

Read-only data flow

1. You enter a public wallet address.
2. Stride queries on-chain balances via Alchemy (Ethereum, Polygon, Base, Arbitrum), Helius (Solana), or Mempool.space (Bitcoin).
3. Stride queries USD prices via CoinGecko.
4. Stride displays the result.
5. Stride writes an append-only snapshot row to its database (Supabase, Singapore region, encrypted at rest) so the historical comparison view and time-series chart work.
6. A daily cron job at 00:05 UTC re-runs the same balance fetch + snapshot write for every wallet seen in the last 30 days, so historical deltas continue to populate even if no one opens the app.

That is the entire data flow. The only writes are append-only snapshot rows. Stride has no signing, transaction, or fund-movement capability.

Infrastructure

• Hosting: Vercel (US / EU / SG edge)
• Database (paid tier): Supabase, Singapore region, encrypted at rest
• TLS 1.3 in transit
• Secrets managed via Vercel environment variables, not committed to source

Access controls

• Authentication: magic-link sign-in via Supabase Auth (email only — no passwords stored).
• Workspace isolation: wallet lists, labels, and entity tags are scoped to your workspace via Postgres Row Level Security (RLS). Other users cannot see your workspace data.
• Role-based access (v0.10): admin / editor / viewer. Admins manage members and roles. Editors add/remove/edit wallets and run actions. Viewers are read-only — they can see balances, transactions, and history but cannot mutate wallet state.
• Invitation flow: admins generate single-use invite links tied to a specific email and role. Links expire after 7 days. Invitee must sign in with the matching email to accept.
• Snapshot + transaction tables: globally addressed by (chain, address). On-chain data is public — no per-workspace duplication. Wallet ownership remains workspace-scoped via the tracked_wallets table.

Roadmap (next 12 months)

• SOC 2 Type I readiness assessment (Q3 2026)
• SAML SSO for Enterprise tier (Q4 2026)
• Audit log export (Q3 2026)

Reports + ERP exports (v0.15+)

Stride generates two kinds of exportable artefacts:

• PDF audit pack— period-end report with cover, summary, wallet listing, transactions, and a sign-off page for the auditor. Built on the workspace's existing balance + transaction data; no new on-chain calls are made when generating.
• ERP CSV templates — same transaction history reformatted for QuickBooks, Xero, NetSuite, or generic import. Treats USD-positive (in) as debit / USD-negative (out, fees) as credit. Account names and classes are sensible defaults; remap to your chart of accounts as needed.

Audit log (v0.14)

Every workspace mutation is recorded in an append-only audit log: wallet added/removed, member invited or removed, role changed, blocklist changes, alert preference changes, and bulk imports. Each entry captures the actor, timestamp, target, and metadata. The log is visible to all workspace members at Settings → Workspace → Activity log.

Onboarding + transaction search (v0.18)

New users land on a 4-step welcome wizard after first sign-in. The wizard is dismissable and writes a workspace.onboardedaudit event when completed or skipped. The workspace's onboarding timestamp is stored alongside other workspace metadata.

Transaction search runs server-side with admin-scoped filters (date, USD range, token, counterparty, classification). All filters apply only to the user's own workspace data via explicit workspace_idequality on the underlying queries.

Webhook delivery (v0.17)

Workspace admins can register Slack and Discord incoming webhook URLs as additional digest destinations. Each daily digest run posts to every configured webhook in addition to email recipients. Webhook URLs are stored in Supabase (Singapore region, encrypted at rest) and never logged or exposed to non-admin members.

Per-wallet balance-floor alerts (v0.17) check the latest snapshot value against admin-defined thresholds. When breached, an alerts.balance_floor_breached audit event is recorded. De-duplication prevents re-firing within 24 hours.

Email delivery (v0.11+)

Stride sends two kinds of email via Resend:

• Workspace invitations:contain the invitee's email, workspace name, inviter's email, role, and single-use invite link.
• Daily digest (v0.12):sent at 08:00 SGT to admin recipients (or a custom recipient list). Contains the workspace's 24-hour total value, per-entity rollup, and any transactions above the configured movement threshold (default S$10,000 USD equivalent). Includes tx hashes (public on-chain identifiers) and counterparty addresses (already public). Daily digest can be disabled per workspace at Settings → Workspace → Alerts.

No private information leaves Stride via email. Wallet labels and entity tags appear in the digest as you configured them.

Vulnerability disclosure

Report security issues to hello@vypeconsulting.com (subject: "Stride security"). We respond within 48 hours.

What we are honest about

We are an early-stage product. We do not yet hold SOC 2, ISO 27001, or any third-party certification. If your procurement requires these today, Stride is not the right fit yet — talk to us about your timeline.