Trust Center

Security, privacy, and compliance at Draxis.ai

Overview

Security is foundational to everything we build at Draxis.ai. As a cyber risk intelligence platform, we hold ourselves to the highest standards of data protection, operational security, and transparency. This page provides a centralized view of our security practices, policies, and compliance posture.

Security Architecture

  • Data Isolation: Database-per-tenant architecture ensures complete physical separation of customer data. No tenant can access another tenant's data.
  • Authentication: RS256 JWT tokens with short-lived access tokens (15 min) and auto-rotating refresh tokens. TOTP-based MFA with AES-256-GCM encrypted secrets.
  • Access Control: Four-tier role-based access control (Super Admin, Tenant Admin, Analyst, Viewer) enforced at both API and UI layers.
  • Transport Security: All data in transit is encrypted via TLS. Cookies use HttpOnly and Secure attributes with CSRF protection.
  • Audit Logging: Immutable audit logs capture all security-relevant events including login activity, MFA changes, user management, and data access.
  • Rate Limiting: Authentication endpoints are rate-limited to prevent brute-force and credential-stuffing attacks.
  • SSO-Ready: Architecture supports SAML 2.0 and OIDC for enterprise single sign-on integrations.

Infrastructure

  • Cloud Provider: Hosted on Amazon Web Services (AWS) with data residency in the United States.
  • Encryption at Rest: All data at rest is encrypted using AES-256.
  • Backups: Automated daily backups with point-in-time recovery capabilities.
  • Deployment: Containerized via Docker with infrastructure-as-code provisioning. Supports self-hosted deployment for customers requiring on-premises control.

Secure Software Development Lifecycle (SDLC)

Draxis.ai enforces a security-first development lifecycle where every line of code is scanned, validated, and gated before it reaches production. Our SDLC integrates automated security controls at every stage to prevent vulnerabilities from being introduced, not just detected after the fact.

AI-Powered Code Security with Claude Code:

All development at Draxis is performed with Claude Code Security integrated directly into the development workflow. Claude Code acts as a real-time security gate that:

  • Static Analysis at Write-Time: Every code change is scanned in real time for security vulnerabilities including injection flaws, authentication bypasses, insecure cryptographic usage, hardcoded secrets, and OWASP Top 10 risks.
  • Blocking on Commit: Insecure code patterns are blocked before they can be committed to the repository. Developers receive immediate, actionable remediation guidance inline.
  • Dependency Scanning: Third-party packages and dependencies are evaluated for known CVEs and supply chain risks before inclusion.
  • Context-Aware Review: Unlike traditional SAST tools, Claude Code understands the full application context — data flows, authentication boundaries, and tenant isolation requirements — enabling detection of logic-level vulnerabilities that pattern-based scanners miss.

Development Pipeline Controls:

  • Pre-Commit Hooks: Automated security scanning runs on every commit. Code that introduces vulnerabilities, secrets, or insecure patterns is rejected at the gate.
  • Pull Request Review: All pull requests undergo automated security analysis in addition to peer code review. Security findings must be resolved before merge.
  • CI/CD Security Gates: The continuous integration pipeline includes security test suites that must pass before deployment. Failed security checks block the release pipeline.
  • Infrastructure-as-Code Scanning: Docker configurations and deployment manifests are scanned for misconfigurations, excessive permissions, and insecure defaults.

Ongoing Security Practices:

  • Least Privilege by Default: All code follows the principle of least privilege for database access, API permissions, and inter-service communication.
  • Secrets Management: No secrets are stored in source code. All credentials, API keys, and encryption keys are managed through secure environment injection and encrypted vaults.
  • Continuous Monitoring: Production deployments are monitored for anomalous behavior, and security patches are applied on an accelerated timeline.

Sub-Processors

Draxis.ai uses the following third-party sub-processors to deliver our Services. We evaluate each sub-processor for security and privacy compliance before engagement.

Sub-Processor Purpose Data Processed Location
Anthropic (Claude API) AI-powered risk advisor and vCISO functionality User queries, organizational risk context (per-session; not used for model training) United States
Amazon Web Services (AWS) Cloud infrastructure, compute, storage, and networking All platform data (encrypted at rest and in transit) United States

We will update this list and notify affected customers at least 30 days before engaging a new sub-processor. For questions, contact privacy@draxis.ai.

Vulnerability Disclosure Policy

Draxis.ai is committed to the security of our platform and our customers' data. We welcome responsible disclosure of security vulnerabilities from the security research community.

Scope: Any internet-facing system owned or operated by Draxis.ai, including the web application, API endpoints, and supporting infrastructure.

How to Report: Send your findings to security@draxis.ai. Please include:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any supporting evidence (screenshots, proof-of-concept code)

Our Commitment:

  • We will acknowledge receipt of your report within 48 hours
  • We will provide an initial assessment within 5 business days
  • We will keep you informed of our progress toward remediation
  • We will not take legal action against researchers who act in good faith
  • We will credit researchers (with permission) when we disclose resolved vulnerabilities

Guidelines:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service testing
  • Do not engage in social engineering against Draxis employees
  • Allow reasonable time for remediation before public disclosure

Our machine-readable security policy is available at /.well-known/security.txt per RFC 9116.

Data Privacy

  • No Cross-Tenant Data Sharing: Customer data is never shared between tenants or used for analytics across organizations.
  • No Model Training: Customer data is never used to train AI models. Anthropic's Claude API processes queries without retaining data for training.
  • Minimal Data Collection: We collect only essential cookies for authentication. No third-party tracking or advertising pixels.
  • Data Portability: Customers can export their data at any time through the platform's Settings interface.
  • Data Deletion: When a tenant is deleted, its entire database is permanently removed.

For full details, see our Privacy Policy.

Compliance

Draxis.ai is designed with compliance in mind. Our security controls align with:

  • SOC 2 Type II: Controls mapped to Trust Service Criteria (pursuit in progress)
  • GDPR: Data processing practices designed for compliance with EU data protection requirements
  • CCPA: Consumer rights supported including access, deletion, and portability

Contact

For security concerns or vulnerability reports:

security@draxis.ai

For privacy or data protection inquiries:

privacy@draxis.ai

For general questions:

hello@draxis.ai