Security Controls
The controls below describe how Struxen is built and operated today. Status values are Implemented, In progress, or Planned. We do not list aspirational items without a status of Implemented unless they carry an explicit label.
Identity and Access Management
Passwords are never transmitted to our servers. The server verifies identity from a salted verifier without ever receiving the secret.
Time-based one-time passwords are available to every user via any standard authenticator app. Per-user enrollment is available today.
Organization owners will be able to require MFA for all members. Individual enrollment is available now.
Federated sign-in for teams using Autodesk Construction Cloud. No second password is required.
Session tokens are stored in HttpOnly, Secure cookies. They are not accessible to JavaScript running on the page, including third-party scripts.
Every state-changing request must include a custom Struxen client header. Requests from origins other than Struxen are rejected.
An org owner can invalidate other active admin sessions immediately. Useful when a device is lost or a contractor’s access should be revoked.
Controls who can manage billing, invite team members, configure custom roles, and create projects. Every organization has exactly one Owner.
Controls what a user can do within a specific project. Org membership does not grant project access; each project’s team is managed separately.
Organizations can define up to 25 custom roles. Permissions are toggled across 38 discrete actions organized by feature area.
Permission checks run on every API route. UI state (hidden buttons) is not a security boundary; the API is the boundary.
Deleting a project and managing the team roster are reserved for built-in roles and cannot be delegated to a custom role.
Every denied API request is recorded in the organization’s audit log.
Audit Logging and Observability
Every mutation, sensitive read, authentication event, and permission denial is recorded in a log scoped to the organization. The log cannot be modified or deleted by users.
Each entry records: timestamp (server-side UTC), actor user ID and email, action (typed resource:verb identifier), resource ID, project ID where applicable, outcome (allowed / denied / error), originating IP, and user agent.
Read-class events are deduplicated to one record per user, resource, and action per five-minute window to keep the log signal useful.
Org Admins can access an Activity tab in the admin console with filters for date, actor, action, resource, project, and free-text search. Filter state is reflected in the URL and can be shared as a link.
Filtered audit log results can be exported to CSV in one action.
Audit records are retained for a minimum of 2 years.
Per-organization audit log retention configuration. Default retention is 2 years.
Application Security
Every API route loads the requesting user’s organization and the target resource’s organization and rejects mismatches. A mismatch returns HTTP 404, not 403, to avoid leaking the existence of resources in other organizations.
Tenant validation runs on every read and every write. It is not bypassed on any route.
Core platform data lives entirely within Amazon Web Services, in Struxen’s own AWS account. No external analytics warehouse or SaaS log aggregator holds project content.
No session-replay scripts, behavioral fingerprinting SDKs, or advertising trackers are loaded in the application. First-party telemetry is limited to product reliability.
Cookies in the application are used only for authentication, session continuity, and CSRF prevention. No third-party advertising trackers.
Customer project content is not used to train Struxen’s AI models or those of its sub-processors. AI processing occurs solely to deliver results within the customer’s account.
Struxen, Inc. staff cannot read customer data, query customer tables, or impersonate a user in a customer organization.
Struxen, Inc. cannot add or remove users from a customer organization or change role assignments.
Infrastructure Security
All databases, object stores, and search indexes use AWS KMS-managed encryption (AES-256).
Customer-managed KMS keys are on the roadmap.
TLS 1.2 or higher is enforced on all public endpoints and all internal service-to-service communication.
PITR is enabled on all critical production database tables with a 35-day recovery window.
Customer-data tables carry a RETAIN removal policy so an infrastructure change cannot accidentally delete them.
Every service role is scoped to specific resource ARNs. The authentication tier, for example, cannot read billing data. Roles are stack-isolated.
Data-tier services run inside a VPC with security-group rules that deny public-internet ingress. Only the application tier can reach them.
Production runs in an AWS account that is separate from development. No shared credentials, no shared data, no cross-environment service roles.
All production data is stored in AWS us-east-1 (United States).
Additional regions, including EU data residency, are on the roadmap and will be opt-in per organization.
Dependencies are monitored for known vulnerabilities and patched on a timely basis.
Personnel with access to personal data are subject to background checks and confidentiality obligations.
Data Protection and Privacy
Struxen assists customers in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) under GDPR, CCPA, and equivalent regimes.
Customer data is not sold to any third party for any purpose.
Customer project content is not used for advertising or profiling.
Credit card numbers and payment-method details never touch Struxen infrastructure. Payments are processed by Stripe, Inc. as merchant of record.
Upon termination of the agreement, customer personal data is returned or deleted within 30 days (per DPA Section 13). Backup copies are deleted within 90 days of primary deletion.
International transfers of personal data from the EEA, UK, or Switzerland are governed by the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor) and, where applicable, the UK International Data Transfer Addendum.
A DPA compliant with GDPR Article 28 is publicly available at /dpa and is incorporated by reference into the Terms of Service.
Incident Response
In the event of a personal data breach affecting customer data, Struxen will notify the affected customer within 72 hours of becoming aware of the breach (per DPA Section 10).
Struxen maintains written incident-response procedures covering detection, containment, and customer notification.
A coordinated disclosure process is in place. Reports submitted to security@struxen.io are acknowledged within two business days.
Operational Security
Technical and organizational measures are documented in the publicly available DPA (Section 9) and in this trust center.
Security controls are reviewed on a documented schedule.
An independent penetration test has not yet been conducted. This control is listed as Planned.
Questions about these controls?
We respond to vendor security questionnaires (CAIQ, SIG Lite, custom) and can schedule a call with your security team. Email security@struxen.io with the subject “Vendor security review.”
Contact security