Compliance Posture
This page describes the regulatory frameworks and engineering practices that inform how Struxen is built, the certifications we hold, and the ones we do not hold. We state this plainly because security reviewers need accurate information to complete vendor assessments.
Implemented Practices
Encryption practices
All data is encrypted at rest using AWS KMS-managed keys (AES-256). All data is encrypted in transit using TLS 1.2 or higher. This applies to all public endpoints and all internal service communication.
Identity and access management
Service roles are scoped to specific AWS resource ARNs under a least-privilege model. Each tier of the system is isolated so that, for example, the authentication tier cannot access billing data.
Network isolation
Data-tier resources run inside an Amazon VPC. Security-group rules deny all public-internet ingress to these resources. Only the application tier can reach them.
Audit logging
An append-only, per-organization audit log records authentication events, mutations, sensitive reads, and permission denials. The log cannot be modified or deleted by users.
Environment separation
Production runs in an AWS account separate from development. There are no shared credentials, no shared data, and no cross-environment service roles.
Incident response
Written incident-response procedures are in place covering detection, containment, and customer notification. In the event of a personal data breach, affected customers are notified within 72 hours per the DPA.
Contractual data-protection commitments
The Data Processing Addendum (available at /dpa) provides GDPR Article 28-compliant contractual commitments covering processing purpose limitation, sub-processor controls, data subject rights assistance, security measures, breach notification, and data deletion on termination. International data transfers from the EEA, UK, and Switzerland are governed by the European Commission’s Standard Contractual Clauses.
Frameworks We Engineer Toward
The following frameworks inform how Struxen is built. We do not claim certification against any of them.
AWS Well-Architected Framework: Security Pillar
Covers IAM, infrastructure protection, data protection, detection, and incident response practice areas.
OWASP Top 10
Application security controls including authentication hardening, injection prevention, and access-control enforcement are designed with reference to the OWASP Top 10.
GDPR and CCPA principles
Data minimization, purpose limitation, and data subject rights are addressed in the DPA and Privacy Policy.
Vendor Questionnaires
We respond to vendor security questionnaires including CAIQ, SIG Lite, and custom formats. Contact security@struxen.io with the subject “Vendor security review.” We can also schedule a call with your security team.
Contact security