Strait Up Maritime is a sanctions screening and compliance monitoring platform. Compliance teams use our output to inform decisions with legal and financial consequences. This page documents our security practices, data sources, update cadences, known limitations, and corporate structure so you can evaluate us as a vendor and design your compliance program around our specific capabilities.
Strait Up Maritime is an informational screening tool. We are not a regulated financial services provider, a law firm, a legal services provider, or a sanctions authority. We are not authorised by OFAC, OFSI, or any other regulatory body to make compliance determinations. We do not provide investment advice. Our output is informational and does not constitute legal advice or a regulatory filing. See our Terms of Service (Sections 5–5c) for full details.
| Entity | Role | Jurisdiction |
|---|---|---|
| Prime Calibre Pty Ltd | Customer-facing reseller, billing, support — your contracting party and data processor | Australia (ABN 76 678 167 407) |
| Prime Calibre Limited | Platform owner, IP principal, technology and data operations — sub-processor | Hong Kong |
Your subscription contract is with Prime Calibre Pty Ltd (Australia). The platform, its intellectual property, and underlying technology are owned and operated by Prime Calibre Limited (Hong Kong). Prime Calibre Pty Ltd is an authorised reseller of Prime Calibre Limited under a distribution agreement that includes a trademark licence for the Strait Up Maritime brand.
Customer personal data is hosted in Singapore (not Hong Kong). Prime Calibre Limited (Hong Kong) operates the platform as a sub-processor under our Data Processing Agreement and may access personal data as necessary for platform operation, support, and development. Transfers of personal data from the UK/EEA to Hong Kong are covered by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module Two or Three as applicable) and, for UK transfers, the UK International Data Transfer Addendum. A Transfer Impact Assessment is available on request.
We have received no government data access requests to date from any jurisdiction. We will challenge requests we believe to be unlawful and will notify affected customers where legally permitted to do so. Our policy is to minimise the personal data we hold and to resist disclosure of customer screening activity to any third party.
We aggregate data from public sanctions lists and third-party maritime data providers. We do not originate sanctions data — we consolidate, cross-reference, and present it. The accuracy and timeliness of our output depends on the accuracy and timeliness of these upstream sources.
| Source | Data type | Update frequency |
|---|---|---|
| OFAC SDN List | US sanctions designations | Daily |
| EU Consolidated List | EU sanctions designations | Daily |
| UN Security Council | UN sanctions designations | Daily |
| UK OFSI | UK sanctions designations | Daily |
| Australia DFAT | Australian sanctions designations | Daily |
| Japan MoF | Japanese sanctions designations | Daily |
| Switzerland SECO | Swiss sanctions designations | Daily |
| AIS feeds | Vessel positions (terrestrial + satellite) | Continuously, typically every 20–40 minutes per vessel |
| Vessel registries | Ownership, flag, classification, DWT | Enriched on first detection, refreshed periodically |
| IMF PortWatch | Historical chokepoint baselines (2019–2026) | Monthly |
There is an inherent delay between the moment a sanctions authority publishes a new designation and the moment it appears in our system. Our sanctions lists are polled daily. In practice, designations published during business hours by OFAC or the EU typically appear in our system within 24 hours. We do not currently guarantee a specific detection-to-alert latency — if latency SLAs are important to your compliance program, contact us to discuss your requirements.
Every screening result includes a timestamp showing when the screening was performed and which lists were checked.
Railway (Singapore region) — application server, PostgreSQL database, object storage for uploaded documents
Cloudflare — global edge network, DNS, DDoS protection, TLS termination
Stripe (Australia / US) — PCI DSS Level 1 certified. We do not store card numbers.
Resend (US) — transactional email only (login codes, alert notifications, reports)
All customer data is hosted in Singapore (Railway's Asia-Southeast region). The website is served globally via Cloudflare's edge network. We do not currently offer data residency in other regions.
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections. HSTS enforced. |
| Encryption at rest | Uploaded documents in encrypted object storage (Railway Buckets). Database hosted on Railway's managed PostgreSQL with provider-level disk encryption. |
| Authentication | Passwordless (magic link + OTP via email). Cryptographically generated session tokens. No passwords stored. |
| Injection prevention | Parameterised database queries throughout. No raw SQL interpolation. |
| Security headers | HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy on all responses |
| Rate limiting | Per-IP and per-account rate limits on screening and authentication endpoints |
| Tenant isolation | All queries scoped by customer_id; application-level tenant isolation enforced across all data access paths |
| Session management | Sessions expire after inactivity. Logout invalidates server-side session record. |
| API surface | We do not currently offer API access. All interaction is via authenticated dashboard sessions, reducing attack surface. |
All personnel with access to production systems or customer data are under confidentiality agreements. Production access is limited to essential personnel and is revoked on departure. Customer screening activity is treated as commercially sensitive and is not disclosed to any third party.
Dependencies are monitored for known vulnerabilities. Security patches for critical CVEs are applied promptly. For responsible disclosure of security issues, contact [email protected].
Customers on Starter and Professional plans can export their watchlist and audit trail as CSV from the dashboard. Account data and screening history can be provided on request by emailing [email protected]. You can delete your account and all associated data at any time via the dashboard settings page.
DPA available with 2021 SCCs (Module Two/Three) + UK IDTA for international transfers. View DPA
Access, rectification, erasure, portability, restriction, objection. Email [email protected]
Without undue delay and within 72 hours of awareness, per our DPA. Includes nature, scope, and remediation.
We provide information to support customer Data Protection Impact Assessments on request.
Database backups are managed by Railway per their infrastructure SLA. The application is stateless and can be redeployed from source. Formal disaster recovery procedures with measured RTO/RPO targets are on our roadmap.
When you screen a vessel, we:
Every screening result returns one of three states:
We present a composite risk score (0–100) alongside individual risk factors and their weighting. The score is a summary of observable indicators — it is not a compliance determination. Each factor (sanctions match, flag risk, dark periods, STS transfers, flag changes, floating storage) is weighted and shown individually so your compliance team can assess the basis for the score and apply their own judgment. The scoring model is documented internally and available for review on request.
Our weekly (or daily, on Professional plans) Dark Fleet Report is an intelligence summary of sanctioned vessel activity based on public data, AIS behaviour analysis, and analyst judgment. Named-vessel assessments in the report describe observed patterns and public designations — they are not conclusions about illegal activity. Language in the report reflects what has been observed ("vessel has been observed operating with AIS disabled for X days") rather than what has been concluded ("vessel is engaged in sanctions evasion").
Corrections and clarifications can be requested by emailing [email protected].
We provide completed security questionnaires on request. For standard or custom questionnaires, contact [email protected] with your questionnaire and we will return it promptly.
Last updated: 22 April 2026. Questions: [email protected]