Security questions: security@draxion.io — Response within 1 business day.
Overview
Draxion is an AI governance and cybersecurity platform trusted by enterprise security teams. We apply the same security rigor to protecting your data that our platform applies to governing yours. This page describes our security architecture, controls, and compliance posture.
Infrastructure Security
Hosting and Architecture
- Application hosted on Vercel with global CDN and automatic DDoS mitigation
- Database hosted on Supabase (PostgreSQL) with automated daily backups and point-in-time recovery up to 7 days
- All infrastructure components are in SOC 2 Type II certified data centers
- 99.9% uptime SLA on Professional and Enterprise plans
Network Security
- All traffic encrypted with TLS 1.3 — no unencrypted connections accepted
- API rate limiting enforced via Arcjet on all endpoints
- CORS policies restrict cross-origin requests to authorized domains only
- Webhook payloads validated with cryptographic signatures
Data Security
Encryption
- In transit: TLS 1.3 with forward secrecy for all connections
- At rest: AES-256 encryption for all stored data via Supabase managed encryption
- Secrets: All credentials and API keys managed via Doppler — zero plaintext secrets in codebase or environment
Data Isolation
- Row-level security (RLS) policies on all database tables enforce complete organizational isolation at the query level
- No SELECT * queries permitted in any codebase — all queries specify exact columns
- Organization identifiers validated on every API request — cross-organization data access is impossible at the architecture level
Audit Logging
- All data access, modifications, and administrative actions are logged
- Audit logs are tamper-evident using cryptographic JWT signing
- Log retention: 365 days for audit events, 90 days for access logs
- Logs are stored separately from primary application data and are immutable
Application Security
- TypeScript strict mode enforced with a zero-error build policy — no type suppressions permitted
- Automated security quality gates on every code push via CI/CD pipeline
- Prompt injection defense on all LLM inputs — user-controlled data is structurally separated from system prompts
- Per-organization AI token budgets with circuit breakers to prevent abuse and runaway costs
- Input validation on all API endpoints with strict schema enforcement
- CSRF protection on all state-mutating requests
- Content Security Policy headers on all application responses
Access Control
- Authentication managed via Clerk with configurable session timeouts
- Three-tier RBAC: Owner, Admin, Member — with granular permission scoping
- Multi-factor authentication available on all plans, enforced on Enterprise
- All Draxion employee access to production systems requires MFA and is logged
- Principle of least privilege applied to all internal access — engineers access only what their role requires
- Production database access for Draxion engineers requires approval and is time-limited
Compliance Posture
| Framework | Status | Details |
|---|---|---|
| SOC 2 Type II | Audit in Progress | Audit scheduled Q4 2026. Security architecture built to Trust Service Criteria. Report available under NDA upon request. SOC 2 is an attestation standard, not a certification. Organizations undergo an audit by an independent CPA firm. Draxion's audit is scheduled for Q4 2026. |
| GDPR | Compliant | DPA available. SCCs in place for international transfers. Privacy by design implemented throughout. |
| EU AI Act | Ready | Technical documentation available. Risk classification assessment completed. |
| HIPAA | Capable | BAA available for healthcare customers on Professional and Enterprise plans. |
| ISO 27001 | Aligned | Controls mapped to ISO 27001:2022. Formal certification planned. |
| NIST AI RMF | Aligned | Govern, Map, Measure, and Manage functions implemented. |
Incident Response
Draxion maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Key commitments:
- Personal data breach notification to affected Customers within 48 hours of confirmed breach
- GDPR-required supervisory authority notification within 72 hours where applicable
- Post-incident report provided to affected Enterprise customers within 14 days
- Incident response contact: security@draxion.io
Employee Security
- Background checks for all employees with access to production systems
- Security awareness training completed annually by all staff
- Acceptable use policy covering all devices and systems
- Offboarding procedures revoke all access within 24 hours of departure
Security Documentation Requests
The following documents are available to qualified customers under NDA:
- SOC 2 Type II report (when available)
- Penetration test summary report
- Data Processing Agreement
- Business Associate Agreement (HIPAA)
- EU AI Act technical documentation
- Sub-processor list with DPA details
Request security documentation: security@draxion.io