Privacy Policy

1. Information We Collect

We collect information you provide directly, including:

• Account information (name, email, organization name)
• Financial data uploaded via CSV files (QuickBooks, Xero, Sage Intacct exports)
• Usage data and feature interactions

2. How We Use Your Information

• To provide and maintain the STERAnalytics dashboard
• To generate financial reports (GAAP-compliant statements, KPI analysis)
• To improve our services and user experience
• To communicate about your account and service updates

3. Data Security

Your financial data is protected by multiple layers of safeguards:

• Encryption at rest — every stored byte is encrypted with AES-256.
• Encryption in transit — every request between your browser, the platform, and the database uses TLS 1.2 or higher. Connections that don't use TLS are refused.
• Authentication — sign-in is through AWS Cognito with a password policy that requires 12+ characters with mixed case, numbers, and symbols. Multi-factor authentication is available.
• Role-based access — Platform Admin, CFO Owner, Executive, Program Manager, Client Viewer, and Board Member roles each see only the surfaces appropriate to their role.
• Secrets management — signing keys and database passwords are stored in a dedicated secrets vault, never in plain text in our application code or configuration.
• AWS-certified infrastructure — STERAnalytics runs on AWS, whose data centers independently hold SOC 2, ISO 27001, PCI DSS, and HIPAA certifications. STERAnalytics itself is not SOC 2, HIPAA, or GDPR certified, but is designed and operated to align with those frameworks.

4. Multi-Tenant Isolation

STERAnalytics serves many organisations from a single platform. Your organisation's data is isolated from every other organisation's data at the database layer — not the application layer. This means that even a bug or misconfiguration in our application code cannot cause cross-organisation data leakage. Every read and write carries your organisation's identity, enforced by the database itself, on every query. Every administrative action that crosses organisations is independently logged to a separate audit trail.

5. Audit Trail

Every authenticated request to the platform is recorded with the user, organisation, endpoint, and timestamp. Administrative actions that read across organisations are recorded to a separate, append-only audit log that commits independently of the request itself, so it cannot be silently undone. On request, we can produce the audit trail for your organisation for any time period.

6. Data Residency

All data is stored and processed in the United States (AWS region us-east-1, Northern Virginia). We do not currently replicate data across regions or countries. If your organisation requires a specific data-residency arrangement, contact us before uploading.

7. Sub-Processors

We rely on the following sub-processors to operate the platform. Each handles data on our behalf under a data-processing agreement:

• Amazon Web Services (AWS) — compute, storage, database, identity, email delivery, machine-learning inference.
• Stripe — payment processing and customer billing portal.

We do not engage advertising networks, analytics resellers, or third-party trackers inside the application.

8. Compliance Posture

STERAnalytics is a financial reporting and decision-support tool. It is not a registered investment adviser, certified public accounting firm, law firm, broker-dealer, or other regulated financial-services entity. Reports it produces — including Form-990 preparation outputs — are intended to support a qualified preparer, not to replace one.

Certification status: STERAnalytics is not SOC 2, HIPAA, or GDPR certified. We are not certified under any of those frameworks, nor do we claim to be. Our security controls, data-handling practices, and infrastructure choices are designed to align with these standards, and we pursue that alignment on an ongoing basis.

9. Data Sharing

We do not sell your data. We share data only with:

• AWS (infrastructure provider)
• Stripe (payment processing)
• Service providers necessary to operate the platform

10. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Withdraw consent for data processing

11. Data Retention

We retain your data for the duration of your account plus 7 years for financial records (per regulatory requirements). You may request earlier deletion by contacting us.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

• Right to know what personal information we collect and how we use it
• Right to delete personal information we hold about you
• Right to opt out of the sale or sharing of personal information
• Right to non-discrimination for exercising your CCPA rights

We do not sell personal information. To exercise your rights, contact privacy@stilladvisoryanalytics.com.

12. Contact

For privacy inquiries: privacy@stilladvisoryanalytics.com