Security-first by design

Your data is protected by enterprise-grade security

Built with defense-in-depth architecture from day one. We are transparent about what is implemented, what is in progress, and what is planned.

SOC 2 Type II, audit in progressISO 27001, controls alignedGDPR-aware designUAE PDPL, under legal review

Technical Security Controls

Implemented and operational: not aspirational.

Encryption

AES-256 for all data at rest. TLS 1.3 enforced for all data in transit. HSTS enabled. No plaintext HTTP.

Access Control

5-layer guard chain: Authentication → Company → Role Context → Permission → Subscription. PostgreSQL Row-Level Security enforces tenant isolation at the database layer. MFA supported for all users; mandatory for admin accounts.

Audit Logging

Immutable append-only activity log. Every action recorded with actor, timestamp, and context. Tamper-resistant by design.

Secrets Management

AWS Secrets Manager for all credentials. Automatic rotation: database passwords every 90 days, JWT keys every 6 months. No secrets in code or environment variables.

Data Protection

Your rights and how we protect them.

Data Subject Rights

Export your data at any time via account settings. Request deletion: all your data is removed within 30 days. Portability in standard formats.

Data Retention

Explore: 30-day activity log. Grow: 1-year retention. Scale: configurable retention with custom DPA available.

Data Processing Agreement

A DPA is available for all Scale tier customers. Contact us to request your organisation's DPA before signing up.

Compliance Posture

Transparent about what is built, what is deferred, and why.

GDPR (EU General Data Protection Regulation)

GDPR-aware design

What's built

  • Data subject rights implemented: export (GET /account/export), deletion (30-day soft delete), portability
  • Per-tier data retention policies (Explore: 30d, Grow: 1yr, Scale: custom)
  • Cookie consent banner implemented: strictly necessary cookies auto-placed; functional and analytics require explicit user opt-in
  • DPA template drafted and available for Scale tier customers; public DPA page at /dpa
  • Cross-border EU→US transfers covered by Standard Contractual Clauses (SCCs)

What's deferred & why

DPO appointment, formal data mapping (ROPA), and breach notification SLA (72hr) are deferred to Phase 6, triggered at 500+ EU-registered companies or first enterprise customer requiring contractual compliance.

SOC 2 Type II

Audit in progress

What's built

  • All Trust Service Criteria controls architecturally in place: access control, encryption, availability, confidentiality
  • Multi-AZ deployment (synchronous standby) + PITR backup (14-day retention)
  • Immutable audit log + CloudWatch monitoring + Sentry alerting
  • Incident response plan drafted
  • Internal security maturity score: 86/100, no unresolved Critical or High findings
  • Third-party penetration test planned prior to SOC 2 auditor engagement

What's deferred & why

Independent SOC 2 auditor not yet engaged. Type II requires a 6–12 month observation period once an auditor is appointed. Target: Q4 2026 certification. We will publish the report summary upon completion.

ISO 27001

Controls aligned

What's built

  • Architecture follows ISO 27001 principles: defense-in-depth, least privilege, need-to-know access
  • AWS Secrets Manager with automatic rotation policies for all credentials
  • Vulnerability management: Dependabot + CI audit block on HIGH/CRITICAL CVEs
  • Change management via Infrastructure as Code (Terraform), no manual infrastructure changes

What's deferred & why

Formal ISMS documentation (scope document, Statement of Applicability, ISO-format risk register) not yet complete. Certification planned after SOC 2 Type II is obtained.

UAE PDPL & DIFC Data Protection Law

Under legal review

What's built

  • Data subject rights (access, correction, deletion) are implemented for all users including UAE residents
  • Privacy policy addresses UAE-based users and data subject rights
  • Legal review of UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL) and DIFC DP Law No. 5 of 2020 is underway

What's deferred & why

Full regulatory mapping and formal legal counsel review in progress. This is a priority given VEXORS FZC is a UAE-registered entity (Sharjah Publishing City Free Zone). Compliance confirmation expected before first enterprise customer onboarding in the UAE.

Data Residency

Primary region: AWS us-east-1 (United States). All data hosted in the US unless a contractual data residency requirement is agreed.

EU region (eu-west-1): planned for Phase 6, triggered at 500+ EU-registered companies. EU→US transfers covered by Standard Contractual Clauses.

Scale customers may request a contractual data residency commitment. Contact us before signing up.

OWASP Top 10 Coverage

IDThreatMitigation
A01Broken Access ControlRBAC + Row-Level Security + UUID PKs + company_id filter on every query
A02Cryptographic FailuresTLS 1.3 enforced + AES-256 at rest + bcrypt (cost 12) + RS256 JWT + AWS Secrets Manager
A03InjectionParameterized queries only + class-validator DTOs + no raw SQL construction
A04Insecure DesignThreat-modeled at design phase + defense-in-depth architecture + dual-role insider threat guard
A05Security MisconfigurationTerraform IaC for all infrastructure + WAF rules + no default credentials
A06Vulnerable ComponentsDependabot enabled + pnpm audit --audit-level=high blocks CI on HIGH/CRITICAL CVEs
A07Auth FailuresBrute force lockout (5 attempts → 15-min block) + single-use token rotation + family detection
A08Software IntegrityPinned GitHub Actions + signed commits policy + ECR image scanning
A09Logging FailuresImmutable activity log + CloudWatch 2yr retention (Scale) + Sentry for exceptions
A10SSRFNo user-supplied URLs processed server-side + S3 presigned URLs + webhook URL blocklist validation

Responsible Disclosure

Found a security vulnerability? Email security@vexors.com. We acknowledge all reports within 5 business days, keep you informed of progress, and credit responsible disclosures with researcher consent.

This page describes our current security posture as of the date shown. Claims are subject to independent verification. Enterprise security assessments available on request.