March 13, 2023
 min read

Strac: Protect Sensitive Data Without Touching It

Learn how to collect, display and process sensitive data without ever seeing or touching it on your front end app & backend server


Strac protects businesses from security and compliance risks by securing and managing Personally Identifiable Information (PII) & Protected Health Information (PHI) data. PII/PHI data includes and is not limited to SSN, Insurance, Passport, Drivers License, Date of Birth, Address, Medical Records, etc. In this document, we are going to cover how businesses can leverage Strac to tokenize sensitive data, which allows them never to see, touch or store sensitive data; thereby eliminating all security risks and compliance risks.


To give a perspective on Identity Theft, in 2019, 14.4 million consumers became victims of identity fraud — about 1 in 15 people. Overall, 33 percent of U.S. adults have experienced identity theft, which is more than twice the global average. Over one in four older adults aged 55 and over have experienced identity theft. For all those Identity Theft victims, either SSN or a combination of other PII (Date of Birth, DL, Name) was used to steal their identity.

In 2020, 37B+ data records were exposed in data breaches and $56B+ lost by customers to identity fraud in 2020.

Once an identity theft happens, businesses are responsible for the data breach. In addition to lost reputation & decreased sales, businesses pay $4.24 MM to handle data breach (per IBM 2021 study).

Strac Widget

Strac exposes pre-built js, iOS and android libraries to accept PII/PHI data elements. The widget will tokenize PII/PHI data elements (SSN, Insurance ID, Drivers License, Address, Date of Birth, etc.) & API Keys, and return a token for each sensitive  data element to the business. This will relieve businesses from worrying about storing and handling any PII/PHI data on their servers.

Strac Tokenization

The tokenization API substitutes sensitive data elements with an opaque token. The token is a randomly generated string of text and can be safely stored in the client’s database. If Strac’s web servers or databases were to be breached, an attacker would only gain access to these opaque tokens.

Tokenization service encrypts all data with AES-GCM using the client’s unique 256-bit key (and a unique IV). This key is only made available to the tokenization service during the request's lifetime and is never persisted outside of the application memory. The keys are encrypted using an HSM-backed key (Hardware Security Module).

Collect sensitive data on your web app without ever being seen on front end web app or touching your server via Strac Widget (iFrame).

Strac Outbound Proxy API

Once the business stores tokens for each PII/PHI data element, it would perform some business action with it. For example, businesses would like to do background checks, employee verification, credit check, credit report, etc. with some third-party partners.

Strac offers several APIs to businesses so that they can connect with third-party partners without having to touch PII/PHI data. Businesses only deal with tokens. Businesses can construct their HTTP requests to third-party partners and wherever PII data elements are needed, businesses just insert tokens. Businesses submit these HTTP requests to Strac, and Strac does 2 things:

  1. Strac will detokenize the tokens in requests and insert into right places in HTTP Request
  2. Strac will then forward the request to the third-party partner, and return back the third-party partner's response to the business

This way, businesses will never have to touch PII/PHI data on their servers and can still achieve their business function. All traffic to Strac endpoints are routed through Amazon Web Services (AWS). AWS enforces TLS and requires a minimum of TLS 1.2.

Send Data to third-party partners without even seeing the data via Strac's outbound proxy api

Strac Inbound Proxy API

Once the business stores tokens for each PII/PHI data element, the business would want the ability to display the sensitive data to customers on their browser/app. For example, businesses would like to display patient data.

Strac offers Inbound Proxy APIs allowing businesses to render their customers sensitive data without ever having to touch the sensitive data. The way how it works is:

  1. App sends a list of tokens to detokenize alongside side customer’s authentication credentials. This would be cookies present in the browser or JWT tokens or any other credentials
  2. Strac is a proxy that will forward the customer’s authentication credentials to the business server endpoint. The business server will authenticate the request and return 200 or 401, depending on the request.
  3. If the Business server returns 200, Strac will detokenize and return plaintext sensitive data. If the Business server returns 401, Strac will return back an error to App

Display sensitive data on your web app without your JS app or server ever seeing it with Strac's Inbound Proxy API

This way, businesses will never have to touch PII/PHI data on their servers and can still achieve their business function. All traffic to Strac endpoints are routed through Amazon Web Services (AWS). AWS enforces TLS and requires a minimum of TLS 1.2.

Example #1: Background check with 3rd party provider, Sterling

Let's take the example that business wants to connect with Sterling to do background checks. As part of that, the business will create a candidate request. Assuming business passes in SSN, Address, Date of Birth, the business will construct request as follows:

curl --location --request POST '' \
--proxy <username>:<password>@<id> \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {{bearer_token}}' \
--data-raw '{
  "clientReferenceId": "99912441",
  "givenName": "John",
  "confirmedNoMiddleName": true,
  "familyName": "Doe",
  "dob": "tok_5VCdwLJsbNgPesKSuZdB",
  "email": "",
  "phone": "+14041231234",
  "ssn": "tok_n1aRCFqyW45WbDoGeRUs",
  "address": {
    "addressLine": "tok_sXarAqfe1iolsa6DGgqh",
    "municipality": "tok_Kl0df6qJhpdF8F3hTXIR",
    "postalCode": "tok_lT8RtnYLfpmfecvAfWqz",
    "countryCode": "US"

If you notice, there are tokens for 

  1. Date of Birth (tok_5VCdwLJsbNgPesKSuZdB)
  2. SSN (tok_n1aRCFqyW45WbDoGeRUs)
  3. Address Line (tok_sXarAqfe1iolsa6DGgqh)
  4. Address Municipality (City) (tok_Kl0df6qJhpdF8F3hTXIR)
  5. Address Postal Code. (tok_lT8RtnYLfpmfecvAfWqz)

And a proxy header to point to Strac, i.e. <id>

When the above request is made by the business, the request hits Strac first & Strac will insert the plain-text value at the right place.

Example #2: Patient data intake and display

In this example, a healthcare provider wants to create a web portal for doctor visits. Doctors will use the web portal to upload lab test results after providing care. Patient name and lab test results are uploaded using the Strac Tokenization Widget, which is configured as follows:

Sample widget to collect patient data
const strac = Strac(apiKey)

data = {
    formElements: [{
        label: "1. Patient Name",
        type: "plaintext",
        tokenType: "name"
    }, {
        label: "2. Lab Test Result",
        type: "document"

appearance = {
    theme: 'default',
    variables: {
        colorBackground: '#133C55',
        colorPrimaryText: '#FFFFFF'

strac.elements("tokenization", data, appearance).mount( "#strac-element");

The Strac Tokenization Widget is an iFrame that can be mounted directly into the health care provider’s web portal. The iFrame allows the web portal to define the form’s look, feel, and the fields for users to enter. In the above example, a token for the patient’s name and lab test results will be returned when the form is submitted.

Using an iFrame, Strac can insulate the health care provider from accessing sensitive data directly. The tokens act as safe substitutes for the sensitive data, which can be safely stored.

Later that day, the patient logs in to view the lab results. The web portal achieves this by configuring Strac’s InboundProxy Widget as follows (config top, widget bottom):

const strac = Strac(apiKey)

data = {
    formElements: [
         { id: "name", label: "Name:", type: "plaintext" },
         { id: "labResult", label: "Lab Result:", type: "document" }
    tokens: [
        { formId: "name", token: "tkn_jgP1m98fdsnzBQh43uzCpt" },
        { formId: "name", token: "tkn_zgLs9f8fdsnsBQhs3udCp1" }
    authProxyHeaders: {
        "Authorization": "Bearer " + authToken

appearance = {
    theme: 'default',
    variables: { colorBackground: '#133C55', colorPrimaryText: '#FFFFFF' }

strac.elements("inboundProxy", data, appearance).mount("#strac-element");

Sample display of sensitive data

The widget is configured in a similar way to the Strac Tokenization Widget, with two additional attributes:

  1. tokens describe what values to show to the patients in the iFrame. They were stored by the health care provider using Tokenization Widget earlier.
  2. authProxyHeaders contain the patient’s logged in authentication credentials. Strac verifies the identity with the health care provider authorization servers to ensure only authorized users can view tokens.

Please get in touch with Strac team (either via email or over zoom call) to get your API key to get started!

Founder. YC W22. 11 years at Amazon building Payments Infrastructure (Widget, API, Security).

Latest articles

Browse all