Privacy, Terms of Service, and Data Processing Addendum. These are public standard terms. Founding Partners receive negotiated counterparts during POC kickoff. Executable MSA and DPA versions are available on request before kickoff.
STRATUS AccessGov ("STRATUS," "we") provides identity governance software and services. This Privacy Policy describes how we handle personal information collected through our website (stratusaccessgov.com), our SaaS platform, and our customer engagements.
From website visitors: standard server logs (IP address, browser type, referrer, pages visited) and any information you voluntarily submit through contact forms or email. We do not run third-party analytics on the website at this time.
From the SaaS platform: identity metadata, access decisions, and audit evidence as configured by the customer. We never store passwords or secrets in plaintext or otherwise — credentials pass through and are not retained. See our Trust Center for the complete data residency matrix.
To deliver the contracted services. To respond to your inquiries. To improve product reliability and security. We do not sell personal information. We do not use customer data to train shared machine-learning models.
Identity metadata: configurable, customer-controlled. Access decisions and audit logs: 7-year retention by default, configurable, written to S3 Object Lock in compliance mode. Inquiry-related correspondence: as long as the relationship is active, plus three years.
If you believe we hold personal information about you, you can email [email protected] to request access, correction, deletion, or export. We respond within 30 days. EU/UK/CCPA rights are honored.
Production infrastructure runs in AWS us-west-2. Cross-border data flows operate under Standard Contractual Clauses where applicable. EU/UK customers receive an EU-Customer Addendum on request.
By accessing or using stratusaccessgov.com or the STRATUS AccessGov SaaS platform, you agree to these Terms of Service. If you're using the platform on behalf of an organization, you represent that you have authority to bind that organization.
STRATUS provides an identity governance and administration platform. Specific features, limits, and SLAs are defined in your Master Services Agreement (MSA) or Order Form. Founding Partners operate under a custom Founding Partner Agreement that supersedes these public Terms.
You agree not to: (a) use the service to violate applicable law; (b) attempt to bypass security or rate limits; (c) reverse-engineer the platform except as permitted by applicable law; (d) use the service to process data you don't have authority to process; (e) interfere with other customers' use.
Each party agrees to maintain the confidentiality of the other's non-public information. We treat customer-uploaded data as Confidential Information by default, with the additional protections described in the DPA.
Subject to the customer's signed MSA. The public-facing default: aggregate liability is limited to fees paid in the 12 months preceding the claim. No party is liable for indirect or consequential damages. This limitation does not apply to gross negligence, willful misconduct, breach of confidentiality obligations, or indemnification obligations.
Either party may terminate for material breach with 30 days' notice and opportunity to cure. On termination, customer data is exported and deleted per the DPA. Audit evidence subject to S3 Object Lock retention completes its locked period before deletion.
This Data Processing Addendum supplements the agreement between STRATUS (Processor) and Customer (Controller) where STRATUS processes Personal Data on Customer's behalf.
STRATUS acts as Processor (or, where applicable, Sub-processor). Customer acts as Controller and is responsible for the lawful basis and instructions for processing.
STRATUS uses sub-processors as listed at /subprocessors. We provide 30 days' notice of new sub-processors. Customer may object on reasonable grounds.
STRATUS implements technical and organizational measures including: AES-256 encryption at rest, TLS 1.3 in transit, mutual TLS for the Hybrid Connector Gateway, BYO-KMS support, SHA-256 hash-chained audit evidence, S3 Object Lock for evidence retention, role-based access control, MFA for all internal access, code-signing, supply-chain security gates (2,042 deterministic gates per release).
STRATUS assists Customer with responses to data subject access, correction, deletion, portability, and objection requests. Standard turnaround: 14 days.
STRATUS notifies Customer of a Personal Data Breach affecting Customer Data without undue delay, and in any event within 48 hours of discovery, with the information needed for Customer to meet its own notification obligations.
For transfers from EU/UK/Switzerland, the parties agree to incorporate the relevant Standard Contractual Clauses. EU-UK Addendum available on request.