Steward stores some of the most sensitive data your firm holds. Here\u2019s exactly how we protect it — at every layer, for every tier.
Solo and Firm tenants share a hardened PostgreSQL cluster. Every row is scoped by firm and protected by Postgres Row Level Security policies. Enterprise tenants run on a dedicated PostgreSQL instance with a dedicated R2 bucket — no shared infrastructure.
TLS 1.3 in transit. AES-256 at rest (Neon, R2). Sensitive fields (BYO API keys, dedicated-DB connection strings) are encrypted at the column level using a key managed in Railway secrets.
Every write — every client edit, every report generation, every portal acceptance — is recorded in an append-only audit log. Each row hashes the previous, producing a tamper-evident chain. Auditors can verify continuity in one query.
Passwords hashed with bcrypt (12 rounds). 8-hour JWT sessions. Firm tier supports SSO (Google, Microsoft); Enterprise adds SAML. Five built-in roles (owner, admin, advisor, assistant, compliance officer) with granular permissions.
We are an Information Officer registered processor. One-click export and one-click delete fulfil POPIA Sections 23 & 24. Data is processed only for the purposes set out in our DPA, which Enterprise customers counter-sign at contract.
Point-in-time recovery up to 7 days (Solo / Firm), 30 days (Enterprise). Documents and reports replicated across two R2 regions. Quarterly disaster-recovery drills.
Annual penetration test by an external CREST-accredited firm. SOC 2 Type II in progress. ISO 27001 on the roadmap for FY27.
Security incidents are triaged within 1 hour and material breaches are notified to affected firms within 72 hours, in line with POPIA Section 22.
Every third party that touches your data, with what they do and where they sit.
| Provider | Purpose | Region |
|---|---|---|
| Neon | Managed PostgreSQL (data at rest, AES-256) | EU / US |
| Cloudflare R2 | Encrypted object storage (documents, reports) | EU |
| OpenAI | Christian-values screening (no PII transmitted) | US |
| Stripe | Card payments processor | EU / US |
| Peach Payments | ZA debit-order & EFT processor | South Africa |
| SigniFlow | Advanced electronic signatures (ECTA-compliant) | South Africa |
| Railway | Application hosting (API) | EU |
| Vercel | Application hosting (web) | Global edge |
We notify customers in writing 30 days before adding any new sub-processor.
DPA, sub-processor list, latest pen-test summary and our POPIA addendum — sent the same business day.
Request security pack