Shared responsibility
Strato Curated Collective is built on managed cloud infrastructure provided by our platform vendors. Those vendors operate the servers, databases, and delivery network. Strato is responsible for how the application is configured on top of that infrastructure — access controls, data handling policies, and staff practices. Travelers are responsible for keeping their own account credentials confidential.
Access & authentication
- Passwords are handled by our identity provider and never stored in plain text.
- Optional Google sign-in is available for travelers who prefer it.
- Administrator accounts are required to enroll in multi-factor authentication.
- Session tokens use short-lived, rotating credentials.
Data protection
- All traffic between your browser and our application is encrypted with HTTPS/TLS.
- Database records are stored on encrypted volumes provided by our infrastructure vendor.
- Row-level security policies restrict every traveler to their own records; advisors can only see travelers assigned to them; administrators have scoped access appropriate to their role.
- Sensitive advisor tax records (such as W-9 information) are stored using additional column-level encryption.
Secure document storage
Traveler documents (passports, visas, insurance certificates, trip confirmations) are uploaded to a private storage bucket that is not publicly accessible. Files are retrievable only through authenticated, signed URLs that expire after a short period. Where personal-document numbers are displayed in the portal, only the last four characters are shown (for example, "passport ending in ****1234").
Payments
Payments and deposits are processed by Stripe, a PCI-DSS Level 1 certified payment processor. Card numbers are entered directly into Stripe's hosted checkout and are never transmitted to or stored by Strato's servers. Strato retains only the last four digits and payment status needed to reconcile bookings.
Email authentication
Outbound email from our domain is authenticated with SPF, DKIM, and DMARC records so that recipients can verify messages actually came from Strato. Marketing email includes a physical postal address and a working unsubscribe link, in line with CAN-SPAM requirements.
Data collection & retention
We collect only what we need to plan and support your trip: contact details, traveler names and dates of birth for booking, passport information when required by a supplier, and payment status. We do not sell traveler information. Full details — including retention windows and how to exercise your rights — are in our Privacy Policy and Your Privacy Choices pages.
Cookies & analytics
Analytics scripts load only after you accept optional cookies. If your browser sends a Global Privacy Control (GPC) signal, we honor it automatically and skip loading analytics. You can adjust your preferences at any time via the "Cookie preferences" link in our footer.
Reporting a security concern
If you believe you have found a security issue or observed suspicious activity on your account, please email info@stratocurated.com with the subject line "Security". We take reports seriously and will respond promptly.
Certifications & compliance
Strato Curated Collective does not currently hold independent certifications such as SOC 2, ISO 27001, PCI-DSS, or HIPAA. The controls described on this page reflect the practices we operate today. Any future certification will be listed here only after it has been formally issued.