Security That Meets Audit Standards

We built Soxfy with the same rigor we expect from our customers' controls. Your data security is our top priority.

Enterprise-Grade Security Controls

Defense in depth with multiple independently-verifiable layers of protection.

Data Encryption

All data encrypted in transit using TLS 1.2+ and at rest using AES-256.

  • TLS 1.2+ enforced — no plain HTTP accepted in production
  • AES-256 disk encryption at rest (GCP platform-managed keys)
  • PostgreSQL database encrypted at rest at the storage layer
  • HSTS enforced on every response (max-age=31536000, includeSubDomains)
Access Control

Every access request is authenticated, authorized, and isolated per user.

  • bcrypt password hashing with 12 rounds (exceeds OWASP minimum of 10)
  • JWT tokens validated on every request, expire after 7 days
  • Email verification required before first login
  • Role-based access control (RBAC): user and admin roles
  • Job ownership enforced — cross-user access returns HTTP 403
Audit Logging

Security-relevant events written to a dedicated audit log table. No PII stored.

  • signup and login success / failure events logged
  • file_uploaded and file_downloaded events tracked
  • access_denied — unauthorized access attempts recorded
  • Each entry records: user ID, IP address, user agent, timestamp
  • PII (filenames, file content) intentionally excluded from logs
File Upload Security

Every uploaded file is validated, sanitized, and scanned before processing.

  • Magic byte validation — file content verified against known signatures
  • Filename sanitization — path traversal characters and null bytes stripped
  • Per-type size limits: PDF/CSV 10 MB, XLSX/XLS 20 MB, images 5 MB
  • MIME type cross-checked against extension whitelist
  • Files never served at a public URL — JWT + matching user ID required

Deployment Options

Choose the deployment model that fits your security requirements.

Soxfy Cloud

Multi-tenant SaaS deployment with enterprise-grade security.

  • Fully managed infrastructure
  • Automatic updates and patches
  • 99.9% uptime SLA
  • Geographic redundancy
Private Cloud / VPC
Enterprise — Coming Soon

Dedicated infrastructure in your own cloud environment.

  • Isolated infrastructure
  • Your cloud account
  • Customer-managed keys
  • Network isolation
On-Premise
Enterprise — Coming Soon

Deploy Soxfy within your own data center.

  • Full data sovereignty
  • Air-gapped deployment option
  • Custom security configurations
  • Enterprise support included

Compliance & Framework Alignment

Soxfy's security controls map directly to the frameworks your auditors rely on.

SOC 2 Type II

In Progress

PCI DSS Aligned

Req 4, 7, 8, 10

NIST CSF Aligned

PR.AC, PR.DS, DE.CM

NDA Ready

Yes

Your Data, Your Control

Data Ownership

You retain full ownership of your data. We process your audit evidence solely to provide the service — we never use customer data for training or any other secondary purpose.

Automatic 1-Hour Deletion

Uploaded evidence files and generated outputs are automatically purged within 60 minutes. No uploaded evidence is written to a persistent database or object store — only job metadata (status, progress) is kept in memory during the processing window.

No Public Access

Uploaded files are never served at a public URL. There is no shared storage, no search engine indexing, and no cross-customer data sharing at any layer. All downloads require a valid JWT token and a matching user ID.

Security FAQ

Is my uploaded data ever publicly accessible?

No. Soxfy never exposes uploaded files or generated outputs publicly. There are no public URLs, no shared storage, and no search engine indexing. All downloads require a valid JWT token and a matching user ID.

How long is my data retained?

Uploaded evidence files and processing outputs are automatically deleted within 1 hour. No uploaded evidence is written to a persistent database or object store — only job metadata (status, progress) is kept in memory during the processing window.

Does Soxfy use my data for AI model training?

No. Soxfy processes your audit evidence solely to provide the service. We never use customer data for training or any other secondary purpose.

How is my data isolated from other customers?

Every job is associated with the user ID of the user who created it. Status, download, and WebSocket endpoints verify ownership before serving any response. Requests from a different authenticated user return HTTP 403. No cross-customer data sharing occurs at any layer.

Is company information publicly accessible?

No. Soxfy does not expose any uploaded files or generated outputs publicly. There are no public URLs, no shared storage, and no indexing by search engines. Uploaded documents are processed within the secure Soxfy environment so the application can evaluate required attributes and generate testing outputs. As part of this process, the application makes a secure API call to Soxfy OpenAI Enterprise to analyze document content. All data is transmitted over encrypted connections, is not publicly accessible, and is not retained after processing.

Questions About Security?

Our team is happy to discuss your specific security requirements and answer any questions.

Contact Us