Security at Auditrax.
Defence-in-depth controls, third-party attestations and continuous monitoring — because we audit the auditors. This page is the source of truth for our security posture and is reviewed quarterly by our Information Security Steering Committee.
Certifications & attestations
- ISO/IEC 27001:2022 — Information Security Management System. Annual surveillance, three-year recertification.
- ISO/IEC 27017:2015 — Cloud-specific information security controls.
- ISO/IEC 27018:2019 — Protection of personally identifiable information in public clouds.
- ISO/IEC 42001:2023 — AI Management System (in progress; certification audit Q3 2026).
- SOC 2 Type II — annual report covering Security, Availability and Confidentiality trust criteria.
- GDPR & UK GDPR compliant — see Privacy Policy and DPA.
- Kenya Data Protection Act 2019 compliant — registered data controller and processor with the Office of the Data Protection Commissioner.
- PCI-DSS SAQ-A — no card data touches Auditrax infrastructure; Stripe handles all card processing.
Customers under NDA can request the latest SOC 2 Type II report, ISO 27001 certificate, penetration-test attestation and security questionnaire pack from security@auditrax.io.
Encryption
TLS 1.3 only on all wire transmissions; older protocols and weak ciphers are explicitly disabled at the load balancer. Data at rest is encrypted with AES-256 GCM under envelope encryption, with data-encryption keys rotated every 90 days and key-encryption keys held in AWS KMS HSMs (FIPS 140-2 Level 3 validated). Enterprise customers may bring their own KMS key (BYOK) or use an external key store via the KMS XKS interface.
Identity & access
Zero-trust architecture: every request is authenticated and authorised at the service mesh, not just at the edge. OAuth 2.1 + OIDC and SAML 2.0 for single sign-on with Azure Entra, Okta, Google Workspace, JumpCloud, ADFS and PingFederate. WebAuthn / FIDO2 for passwordless and step-up authentication. RBAC and ABAC are layered: role grants the function, attribute grants the row. Every privileged action — including Auditrax AI prompt and override — is recorded in an immutable audit log.
Tenant isolation
Hybrid multi-tenant model. Standard tier uses row-level tenant scoping enforced at the database driver layer with deny-by-default policies. Enterprise tier uses dedicated schemas or dedicated databases inside the customer-selected region. Cross-tenant queries are blocked at the driver and at the API gateway; any attempted cross-tenant read fails closed and pages on-call.
Sub-processors
Each sub-processor is bound by data-processing terms equivalent to our own DPA, subject to annual security review, and listed in our public registry. Customers receive 30 days' notice of any change.
| Sub-processor | What data it touches | Region | Attestations |
|---|---|---|---|
| Amazon Web Services | Underlying compute, storage, networking | Customer-selected | SOC 1/2/3, ISO 27001/17/18, FedRAMP |
| Stripe | Billing contact + payment card data (tokenised; never on our infra) | EU / US | PCI-DSS Level 1, SOC 1/2 |
| Brevo | Transactional / marketing email metadata + content | EU | ISO 27001, GDPR-aligned |
| OpenAI | Auditrax AI prompt + completion content (zero-retention API, no training) | US | SOC 2 Type II |
| Cloudflare | CDN, DNS, edge WAF metadata | Global edge | ISO 27001, SOC 2 |
| Datadog | Operational telemetry, error traces (no customer audit content) | EU | ISO 27001, SOC 2 Type II |
Operational security
- Continuous vulnerability scanning on every build via Trivy + Grype; high/critical findings block release.
- Dependency auditing via Snyk and Dependabot, with automatic PRs and a 7-day SLA for critical CVEs.
- SAST + DAST on every pull request; SonarQube quality gates.
- Secrets scanning on every commit (Gitleaks); rotation playbook tested quarterly.
- 24/7 SOC monitoring via SIEM with detections aligned to MITRE ATT&CK; mean time to detect < 10 minutes for high-severity events.
- Quarterly tabletop exercises for incident response, with a written after-action report.
Penetration testing
Independent third-party penetration tests are conducted twice per year by a CREST-certified firm, plus targeted tests after material architectural changes. Scope includes web, API, mobile, infrastructure and AI/LLM specific attack surface (prompt injection, data exfiltration via outputs, jailbreaks). Attestation letters and executive summaries are available to customers under NDA.
Incident response
Auditrax operates a formal Incident Response Plan aligned to NIST 800-61. Customer-affecting incidents trigger:
- Initial customer notification within 4 hours of confirmation of a security incident materially affecting customer data, via the named-contact channel on the Order Form.
- Recovery Time Objective (RTO): 4 hours for the production tier; 8 hours for ancillary services.
- Recovery Point Objective (RPO): 15 minutes via continuous WAL streaming and cross-AZ replication.
- Status page: status.auditrax.io — real-time incident updates, with subscription via email, SMS or webhook.
- Post-incident review: written within 5 business days, shared with affected customers and posted to the status page archive.
Bug bounty & responsible disclosure
Auditrax runs a public bug-bounty programme with the following safe-harbour commitments: we will not pursue legal action against, suspend the account of, or report to law enforcement any researcher who (a) makes a good-faith effort to comply with our policy, (b) does not access or modify customer data, (c) does not perform denial-of-service or social-engineering attacks against our staff or customers, and (d) gives us reasonable time to remediate before public disclosure (90 days default).
Rewards range from US$ 200 for low-severity issues to US$ 25,000 for critical platform vulnerabilities. Report findings to security@auditrax.io using our PGP key (fingerprint published in security.txt at the root of auditrax.io).
Business continuity
Multi-AZ deployments across at least three availability zones per region. Cross-region warm standby for Enterprise tier. Backups are encrypted, immutable for 30 days (object-lock / WORM), and restore-tested monthly with documented evidence. Business Continuity Plan and Disaster Recovery Plan are reviewed annually and exercised twice yearly.
Personnel security
All Auditrax personnel undergo background checks proportionate to role, complete mandatory annual security and privacy training (with phishing simulations), and sign confidentiality and acceptable-use agreements before access is provisioned. Production-access privileges are granted on the principle of least privilege, reviewed quarterly, and revoked within 4 hours of termination.
Customer security questionnaires
We maintain a pre-completed CAIQ Lite, SIG Core and SIG Lite for fast turnaround on customer and regulator due diligence. Request from security@auditrax.io; typical return within 3 business days under NDA.
Questions?
Security questions, questionnaire requests and responsible disclosures: security@auditrax.io. Status and incident updates: status.auditrax.io.