Back to Draxion
Legal
Draxion, Inc.draxion.io

Security at Draxion

Last updated: May 31, 2025

Security questions and vulnerability reports: security@draxion.io — we respond within 1 business day. For vulnerabilities, please review our Responsible Disclosure Policy before reporting.

1. Our Approach

Draxion is an AI governance and cybersecurity platform trusted by enterprise security teams to monitor and govern AI tool usage across their organizations. We apply the same security rigor to protecting your data that our platform applies to governing yours.

Security is not a compliance checkbox at Draxion — it is a core architectural principle. Every design decision, from database query patterns to AI prompt construction, is made with security as a first-order constraint.

2. Infrastructure Security

2.1 Hosting and Architecture

  • Application hosted on Vercel with global CDN, automatic DDoS mitigation, and edge network protection across 100+ regions.
  • Database hosted on Supabase (PostgreSQL) with automated daily backups, point-in-time recovery up to 7 days, and multi-region replication.
  • All infrastructure components operate within SOC 2 Type II certified data centers.
  • 99.9% uptime SLA on Professional and Enterprise plans. Status available at hello@draxion.io on request.

2.2 Network Security

  • All traffic encrypted with TLS 1.3. Unencrypted HTTP connections are rejected and redirected to HTTPS.
  • API rate limiting enforced via Arcjet on all endpoints — including authentication, platform API, and webhook routes.
  • CORS policies restrict cross-origin requests to explicitly authorized domains only.
  • Webhook payloads validated with cryptographic HMAC signatures to prevent tampering.
  • Content Security Policy (CSP) headers set on all application responses.

3. Data Security

3.1 Encryption

  • In transit: TLS 1.3 with forward secrecy for all connections between client, Chrome extension, and server.
  • At rest: AES-256 encryption for all stored data via Supabase managed encryption. Encryption keys are managed by Supabase and rotated automatically.
  • Secrets: All credentials, API keys, and configuration secrets managed via Doppler. Zero plaintext secrets exist in the codebase, environment files, or version control history.

3.2 Data Isolation

  • Row-level security (RLS) policies are enforced on every database table. No query can return data belonging to a different organization — this is enforced at the database layer, not application layer.
  • All database queries specify exact columns. No SELECT * queries are permitted anywhere in the codebase. This is enforced via automated code review gates on every pull request.
  • Organization identifiers are validated on every API request at the middleware layer — before any business logic executes.
  • Cross-organization data access is architecturally impossible — not just policy-prohibited.

3.3 Audit Logging

  • All data access, modifications, and administrative actions are logged with full context: user identity, timestamp, IP address, and action type.
  • Audit logs are tamper-evident using cryptographic JWT signing. Any modification to a log entry invalidates the signature and is immediately detectable.
  • Logs are stored separately from primary application data and are immutable once written.
  • Retention: audit events are retained for 24 months. Access logs are retained for 90 days.

4. Application Security

  • TypeScript strict mode enforced across the entire codebase with a zero-error build policy. No type suppressions (ts-ignore, any casts) are permitted without documented justification.
  • Automated security gates run on every code push via CI/CD pipeline before any deployment reaches production.
  • Prompt injection defense: All LLM inputs structurally separate user-controlled data from system prompts. Customer personal data is never passed directly into AI model prompts.
  • Per-organization AI token budgets with circuit breakers prevent abuse and runaway costs from affecting other customers.
  • Input validation on all API endpoints with strict schema enforcement using Zod. Malformed requests are rejected before reaching business logic.
  • CSRF protection on all state-mutating requests.
  • Dependency scanning via automated tooling. Known vulnerable packages are flagged and updated within 7 days of disclosure.

5. Access Control

  • Authentication managed via Clerk with configurable session timeouts, MFA support, and session revocation.
  • Three-tier role-based access control: Owner, Admin, and Member — with granular permission scoping at the organization level.
  • Multi-factor authentication is available on all plans and enforced by default on Enterprise plans.
  • All Draxion employee access to production systems requires MFA and is individually logged. No shared credentials are used.
  • Principle of least privilege is applied to all internal access. Engineers access only the production resources required for their specific role.
  • Production database access for Draxion engineers requires documented justification and is time-limited.
  • Employee offboarding procedures revoke all system access within 4 hours of departure.

6. Chrome Extension Security

The Draxion Chrome extension is the primary data collection surface. It is subject to additional security controls:

  • The extension operates with minimum required permissions. It does not request access to browsing history, bookmarks, downloads, or any data outside the specific AI tool domains it is configured to monitor.
  • DLP scanning occurs entirely client-side in the browser. Raw content of employee inputs to AI tools is never transmitted to Draxion servers — only the classification result (e.g. “PII detected”) is reported.
  • The extension communicates with Draxion servers exclusively over TLS 1.3. All API calls include authentication tokens validated server-side on every request.
  • Extension code is reviewed before every release and submitted to Google's Chrome Web Store review process.

7. Compliance Posture

FrameworkStatusDetail
SOC 2 Type IIAudit in ProgressAudit scheduled Q4 2026. Security architecture built to SOC 2 Trust Service Criteria. Architecture documentation available under NDA upon request.
GDPRCompliantData Processing Agreement available. Standard Contractual Clauses in place for all international transfers. Privacy by design implemented throughout the architecture.
EU AI ActAlignedTechnical documentation complete. Risk classification assessment conducted. Available under NDA.
HIPAACapableBusiness Associate Agreement available for healthcare customers on Professional and Enterprise plans. PHI handling controls implemented.
ISO 27001AlignedControls mapped to ISO 27001:2022 Annex A. Formal certification audit planned for 2026.
NIST AI RMFAlignedGovern, Map, Measure, and Manage functions implemented and documented.

8. Incident Response

Draxion maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Key commitments:

  • Personal data breaches affecting Customer data are notified to the affected Customer within 48 hours of confirmation.
  • Where GDPR Article 33 applies, Draxion will assist the Customer in preparing supervisory authority notification within the 72-hour regulatory deadline.
  • Post-incident reports are provided to affected Enterprise customers within 14 days of incident closure.
  • Security incident contact: security@draxion.io

9. Employee Security

  • Background verification for all employees and contractors with access to production systems or customer data.
  • Security awareness training completed by all staff at onboarding and annually thereafter.
  • Acceptable use policy governing all devices, systems, and data handling practices.
  • Offboarding procedures revoke all access within 4 hours of departure confirmation.
  • Personal devices used for work must meet minimum security standards including full-disk encryption and screen lock.

10. Vulnerability Disclosure

Draxion operates a responsible disclosure program. If you believe you have discovered a security vulnerability in any Draxion system, please review our full Responsible Disclosure Policy before reporting.

We commit to:

  • Acknowledging all vulnerability reports within 2 business days.
  • Providing a substantive response within 10 business days including our assessment and remediation timeline.
  • Not pursuing legal action against researchers who act in good faith and follow our disclosure policy.
  • Crediting researchers in our security acknowledgments with their permission.

Report vulnerabilities to: security@draxion.io

11. Security Documentation Requests

The following documents are available to qualified customers and prospects under NDA:

  • SOC 2 Type II report (when available — Q4 2026)
  • Penetration test executive summary report
  • Data Processing Agreement
  • Business Associate Agreement (HIPAA — healthcare customers only)
  • EU AI Act technical documentation
  • Sub-processor list with DPA details
  • Security architecture overview

Request security documentation: security@draxion.io

12. Contact

For all security enquiries, vulnerability reports, and documentation requests:

Draxion, Inc.
Security Team
security@draxion.io

For privacy and data protection enquiries specifically: privacy@draxion.io