Compliance Posture

Compliance Posture

This page describes the regulatory frameworks and engineering practices that inform how Struxen is built, the certifications we hold, and the ones we do not hold. We state this plainly because security reviewers need accurate information to complete vendor assessments.

What We Have Implemented

Implemented Practices

Encryption practices

All data is encrypted at rest using AWS KMS-managed keys (AES-256). All data is encrypted in transit using TLS 1.2 or higher. This applies to all public endpoints and all internal service communication.

Identity and access management

Service roles are scoped to specific AWS resource ARNs under a least-privilege model. Each tier of the system is isolated so that, for example, the authentication tier cannot access billing data.

Network isolation

Data-tier resources run inside an Amazon VPC. Security-group rules deny all public-internet ingress to these resources. Only the application tier can reach them.

Audit logging

An append-only, per-organization audit log records authentication events, mutations, sensitive reads, and permission denials. The log cannot be modified or deleted by users.

Environment separation

Production runs in an AWS account separate from development. There are no shared credentials, no shared data, and no cross-environment service roles.

Incident response

Written incident-response procedures are in place covering detection, containment, and customer notification. In the event of a personal data breach, affected customers are notified within 72 hours per the DPA.

Contractual data-protection commitments

The Data Processing Addendum (available at /dpa) provides GDPR Article 28-compliant contractual commitments covering processing purpose limitation, sub-processor controls, data subject rights assistance, security measures, breach notification, and data deletion on termination. International data transfers from the EEA, UK, and Switzerland are governed by the European Commission’s Standard Contractual Clauses.


Frameworks

Frameworks We Engineer Toward

The following frameworks inform how Struxen is built. We do not claim certification against any of them.

AWS Well-Architected Framework: Security Pillar

Covers IAM, infrastructure protection, data protection, detection, and incident response practice areas.

OWASP Top 10

Application security controls including authentication hardening, injection prevention, and access-control enforcement are designed with reference to the OWASP Top 10.

GDPR and CCPA principles

Data minimization, purpose limitation, and data subject rights are addressed in the DPA and Privacy Policy.


Questionnaires

Vendor Questionnaires

We respond to vendor security questionnaires including CAIQ, SIG Lite, and custom formats. Contact security@struxen.io with the subject “Vendor security review.” We can also schedule a call with your security team.

Contact security