Trust Center · Security Posture

Struxen Security and Privacy

This page documents the security controls, data practices, and contractual commitments that govern how Struxen handles your organization’s data. All claims on this site reflect the system as it operates today unless explicitly noted otherwise.

Last updated: May 8, 2026

Security Controls

Control Highlights

The following is a summary of key controls. The Controls page contains full descriptions and implementation status for every control.

Identity

Sign-in uses Secure Remote Password protocol; passwords are never transmitted to or stored by our servers.

MFA

Time-based one-time passwords (TOTP) are available to every user via any standard authenticator app.

Access

Two-layer authorization (organization role + project role) is enforced server-side on every API request.

Audit

Every mutation, sensitive read, authentication event, and permission denial is written to an append-only log scoped to your organization.

Encryption

All data is encrypted at rest (AES-256, AWS KMS-managed keys) and in transit (TLS 1.2 or higher).


Subprocessors

Sub-processors

We use 18 vendors across 8 categories: cloud infrastructure, AI models, engineering, observability, productivity, communications, billing, and optional integrations. All core platform data is hosted on Amazon Web Services in the United States.

See the full sub-processor list

Documents

Documents Available

Privacy PolicyPublic
/privacy →
Data Processing AddendumPublic
/dpa →
Terms of ServicePublic
/terms →
Security questionnaire responseOn request
security@struxen.io →
See all documents

Compliance

Compliance Posture

Struxen is engineered against the AWS Well-Architected Security Pillar, OWASP Top 10 application-security guidance, and GDPR & CCPA data-protection principles. The compliance page details the contractual commitments (DPA, SCCs) and frameworks our controls map to.

See our full compliance posture

Security Contact

Reporting a Security Issue

If you believe you have found a security vulnerability in any Struxen surface (the application, the marketing site, an API, or an email), email security@struxen.io. Include reproduction steps and the impact you observed. We will acknowledge every report within two business days.

We respond to vendor security questionnaires (CAIQ, SIG Lite, custom) and can schedule a call with your security team. Email security@struxen.io with the subject “Vendor security review.”

Procurement & Security Review

Need this in a questionnaire?

We respond to vendor security questionnaires (CAIQ, SIG Lite, custom) and can schedule a call with your security team.