Built for the people who say no to vendors first.
Security, compliance, and data-residency posture in one place. Written for the procurement, infosec, and compliance reviewers who decide whether a fintech infrastructure vendor can touch production traffic.
Four pillars of our security posture
Boring, on purpose.
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest. Per-tenant key isolation in our SaaS region; on-prem deployments use the customer's own KMS or HSM.
Deploy where it makes sense
SaaS in Jakarta region for mid-market fintechs. Single-tenant on-premise for regulated banks needing in-country control of every component, including the database.
Identity & access
SSO via OIDC or SAML, SCIM provisioning, role-based access on every action, mandatory hardware MFA for staff, and full audit logs streamed to the customer's SIEM on request.
Monitoring & incident response
Production is observed 24/7 from Jakarta. Documented incident-response runbook with severity-tiered SLAs. Customers are notified of any incident affecting their data within the timelines stated in the DPA.
Aligned where it matters
We do not list standards we do not actually map to. Statuses below are current as of this page's last revision.
OJK SE 21/2023
Our control set maps to OJK guidance on IT risk for financial-sector providers — covering vendor management, data classification, BCP, and audit trails.
BI Regulations
Payment-related products honour Bank Indonesia rules on IDR processing, BI Fast operating windows, and on-soil data residency for transactional data.
PPATK reporting
AML Monitoring is built around PPATK STR/CTR thresholds and reporting formats; the underlying audit trail is preserved for the regulator-mandated retention period.
UU PDP 27/2022
Customer-side data is processed under a Data Processing Addendum that mirrors the obligations of the Indonesian Personal Data Protection Law.
SOC 2 Type II — in progress
We are running our SOC 2 Type II observation window with a Big-4 auditor. Expected attestation: Q4 2026. Bridge letters and current control evidence available under NDA.
ISO 27001 — planned
ISO 27001 certification programme kicks off after SOC 2 attestation lands.
In Indonesia, by default.
Customer data on our SaaS plane lives in our Jakarta region. Encrypted backups never leave Indonesian sovereign borders. On-premise deployments place every component — including the database and queue brokers — inside the customer's own environment.
Sub-processors
Specific vendor names are shared with customers and prospects under NDA on request.
Need evidence?
Pen-test summaries, SOC 2 bridge letters, control matrices, and DPIA templates are available under NDA. We respond to security questionnaires (CAIQ, SIG-Lite) within 5 working days.
[email protected]Privacy and data-subject requests live on /privacy.
Procurement reviewer in the room? Let us walk you through it.
Join fintechs and banks across Indonesia who trust Straventa for their compliance and risk operations.