Security Controls

Security Controls

The controls below describe how Struxen is built and operated today. Status values are Implemented, In progress, or Planned. We do not list aspirational items without a status of Implemented unless they carry an explicit label.

IAM

Identity and Access Management

Secure Remote Password (SRP) authenticationImplemented

Passwords are never transmitted to our servers. The server verifies identity from a salted verifier without ever receiving the secret.

TOTP multi-factor authenticationImplemented

Time-based one-time passwords are available to every user via any standard authenticator app. Per-user enrollment is available today.

Org-wide MFA enforcementPlanned

Organization owners will be able to require MFA for all members. Individual enrollment is available now.

Autodesk SSO (OAuth 2.0 / OIDC)Implemented

Federated sign-in for teams using Autodesk Construction Cloud. No second password is required.

HttpOnly session cookiesImplemented

Session tokens are stored in HttpOnly, Secure cookies. They are not accessible to JavaScript running on the page, including third-party scripts.

CSRF protectionImplemented

Every state-changing request must include a custom Struxen client header. Requests from origins other than Struxen are rejected.

Versioned session tokens (remote sign-out)Implemented

An org owner can invalidate other active admin sessions immediately. Useful when a device is lost or a contractor’s access should be revoked.

Organization roles (Owner / Admin / Member)Implemented

Controls who can manage billing, invite team members, configure custom roles, and create projects. Every organization has exactly one Owner.

Project roles (Project Admin / Editor / Viewer)Implemented

Controls what a user can do within a specific project. Org membership does not grant project access; each project’s team is managed separately.

Custom rolesImplemented

Organizations can define up to 25 custom roles. Permissions are toggled across 38 discrete actions organized by feature area.

Server-side permission enforcementImplemented

Permission checks run on every API route. UI state (hidden buttons) is not a security boundary; the API is the boundary.

Privileged action restrictionImplemented

Deleting a project and managing the team roster are reserved for built-in roles and cannot be delegated to a custom role.

Denied-request loggingImplemented

Every denied API request is recorded in the organization’s audit log.


Audit

Audit Logging and Observability

Append-only audit log per organizationImplemented

Every mutation, sensitive read, authentication event, and permission denial is recorded in a log scoped to the organization. The log cannot be modified or deleted by users.

Audit log fieldsImplemented

Each entry records: timestamp (server-side UTC), actor user ID and email, action (typed resource:verb identifier), resource ID, project ID where applicable, outcome (allowed / denied / error), originating IP, and user agent.

Read-event deduplicationImplemented

Read-class events are deduplicated to one record per user, resource, and action per five-minute window to keep the log signal useful.

Audit log access for org adminsImplemented

Org Admins can access an Activity tab in the admin console with filters for date, actor, action, resource, project, and free-text search. Filter state is reflected in the URL and can be shared as a link.

CSV exportImplemented

Filtered audit log results can be exported to CSV in one action.

Default audit log retentionImplemented

Audit records are retained for a minimum of 2 years.

Per-organization retention configurationPlanned

Per-organization audit log retention configuration. Default retention is 2 years.


AppSec

Application Security

Tenant isolation (cross-org access prevention)Implemented

Every API route loads the requesting user’s organization and the target resource’s organization and rejects mismatches. A mismatch returns HTTP 404, not 403, to avoid leaking the existence of resources in other organizations.

Server-side tenant check on every read and writeImplemented

Tenant validation runs on every read and every write. It is not bypassed on any route.

No third-party data processors for core platform dataImplemented

Core platform data lives entirely within Amazon Web Services, in Struxen’s own AWS account. No external analytics warehouse or SaaS log aggregator holds project content.

No session-replay or behavioral fingerprintingImplemented

No session-replay scripts, behavioral fingerprinting SDKs, or advertising trackers are loaded in the application. First-party telemetry is limited to product reliability.

Functional-only cookiesImplemented

Cookies in the application are used only for authentication, session continuity, and CSRF prevention. No third-party advertising trackers.

No AI training on customer dataImplemented

Customer project content is not used to train Struxen’s AI models or those of its sub-processors. AI processing occurs solely to deliver results within the customer’s account.

No Struxen staff access to customer dataImplemented

Struxen, Inc. staff cannot read customer data, query customer tables, or impersonate a user in a customer organization.

No Struxen modification of customer team membershipImplemented

Struxen, Inc. cannot add or remove users from a customer organization or change role assignments.


Infrastructure

Infrastructure Security

Encryption at restImplemented

All databases, object stores, and search indexes use AWS KMS-managed encryption (AES-256).

Customer-managed encryption keys (CMK)Planned

Customer-managed KMS keys are on the roadmap.

Encryption in transitImplemented

TLS 1.2 or higher is enforced on all public endpoints and all internal service-to-service communication.

Point-in-time recoveryImplemented

PITR is enabled on all critical production database tables with a 35-day recovery window.

Infrastructure removal protectionImplemented

Customer-data tables carry a RETAIN removal policy so an infrastructure change cannot accidentally delete them.

Least-privilege IAMImplemented

Every service role is scoped to specific resource ARNs. The authentication tier, for example, cannot read billing data. Roles are stack-isolated.

Network isolation (VPC)Implemented

Data-tier services run inside a VPC with security-group rules that deny public-internet ingress. Only the application tier can reach them.

Environment separationImplemented

Production runs in an AWS account that is separate from development. No shared credentials, no shared data, no cross-environment service roles.

Data residency: us-east-1Implemented

All production data is stored in AWS us-east-1 (United States).

EU data residencyPlanned

Additional regions, including EU data residency, are on the roadmap and will be opt-in per organization.

Vulnerability scanning and dependency monitoringImplemented

Dependencies are monitored for known vulnerabilities and patched on a timely basis.

Personnel securityImplemented

Personnel with access to personal data are subject to background checks and confidentiality obligations.


Privacy

Data Protection and Privacy

Data subject rights assistanceImplemented

Struxen assists customers in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) under GDPR, CCPA, and equivalent regimes.

No sale of customer dataImplemented

Customer data is not sold to any third party for any purpose.

No use of customer data for advertisingImplemented

Customer project content is not used for advertising or profiling.

Payment data isolationImplemented

Credit card numbers and payment-method details never touch Struxen infrastructure. Payments are processed by Stripe, Inc. as merchant of record.

Data deletion on account terminationImplemented

Upon termination of the agreement, customer personal data is returned or deleted within 30 days (per DPA Section 13). Backup copies are deleted within 90 days of primary deletion.

Standard Contractual Clauses (EEA transfers)Implemented

International transfers of personal data from the EEA, UK, or Switzerland are governed by the European Commission’s Standard Contractual Clauses (Module Two: Controller to Processor) and, where applicable, the UK International Data Transfer Addendum.

Data Processing Addendum (DPA)Implemented

A DPA compliant with GDPR Article 28 is publicly available at /dpa and is incorporated by reference into the Terms of Service.


Incident Response

Incident Response

Personal data breach notificationImplemented

In the event of a personal data breach affecting customer data, Struxen will notify the affected customer within 72 hours of becoming aware of the breach (per DPA Section 10).

Documented incident-response proceduresImplemented

Struxen maintains written incident-response procedures covering detection, containment, and customer notification.

Security vulnerability disclosureImplemented

A coordinated disclosure process is in place. Reports submitted to security@struxen.io are acknowledged within two business days.


Ops

Operational Security

Documented security measuresImplemented

Technical and organizational measures are documented in the publicly available DPA (Section 9) and in this trust center.

Regular review of security controlsImplemented

Security controls are reviewed on a documented schedule.

Independent penetration testingPlanned

An independent penetration test has not yet been conducted. This control is listed as Planned.


Procurement & Security Review

Questions about these controls?

We respond to vendor security questionnaires (CAIQ, SIG Lite, custom) and can schedule a call with your security team. Email security@struxen.io with the subject “Vendor security review.”

Contact security