Security at Ataraxia
Your compliance data deserves enterprise-grade protection. We build security into everything we do.
Encryption at Rest & Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. We use FIPS 140-2 validated encryption modules.
Secure Infrastructure
Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certified data centers.
Access Controls
Role-based access control (RBAC), multi-factor authentication, and comprehensive audit logging.
Compliance First
We practice what we preach. Ataraxia GRC is pursuing SOC 2 Type II and CMMC Level 2 certification.
Certifications & Compliance
SOC 2 Type II
In Progress2026
CMMC Level 2
Planned2026
ISO 27001
Planned2027
Subprocessors
The third-party services that process customer data on our behalf.
| Service | Purpose | Data Processed | Certification |
|---|---|---|---|
| Supabase | Database and authentication | Account data, assessment responses, org settings | SOC 2 Type II |
| Vercel | Application hosting and CDN | Application code, static assets | SOC 2 Type II |
| Anthropic | AI document generation | Assessment context for SSP/policy generation (no CUI) | Enterprise security program |
| Stripe | Payment processing | Payment method tokens (no card numbers stored by us) | PCI DSS Level 1 |
| Cloudflare | DNS, CDN, DDoS protection | Traffic metadata | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email | Email addresses, notification content | SOC 2 Type II |
| Sentry | Error monitoring | Application errors, stack traces (no customer data) | SOC 2 Type II |
| Upstash | Rate limiting | Request counts, IP hashes | SOC 2 Type II |
OWASP Top 10 Protection
- Injection prevention via parameterized queries (Supabase client)
- XSS prevention via React automatic escaping and Content Security Policy headers
- Broken authentication prevention via Supabase Auth with TOTP MFA and session management
- Sensitive data exposure prevention via AES-256 at rest and TLS 1.2+ in transit
- Security misconfiguration prevention via automated headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- Insecure deserialization prevention via Zod schema validation on all API inputs
- Insufficient logging prevention via immutable audit trail on all state changes
AI Security
- AI generates compliance language only (SSP descriptions, policy text, remediation playbooks)
- AI never determines compliance status, SPRS scores, or audit decisions
- SPRS scoring is fully deterministic via the rules engine, never involves AI
- AI copilot refuses to process content containing CUI indicators
- Anthropic does not train on API customer data per their commercial terms
- AI-generated content is flagged with an ai_generated marker for human review
Change Management
- All source code tracked in a version-controlled Git repository
- Automated CI/CD pipeline runs typecheck, lint, test, and build verification on every commit
- No direct production database access — all changes go through application code or migrations
- All schema changes via numbered, reviewable Supabase migrations
- 260+ commits with full history and audit trail
Data Lifecycle
- Customer data retained for the duration of the subscription plus 30 days
- Complete account and data deletion available via in-app settings or support request
- Automated daily database backups with point-in-time recovery (Supabase)
- Data portability: export assessment data, SSP, POA&M, evidence, and shared responsibility matrix at any time
Leaked Password Protection
- All passwords checked against the HaveIBeenPwned Pwned Passwords database on signup, invite signup, password reset, and password change
- Uses k-anonymity: only the first 5 characters of the SHA-1 hash are sent — full passwords and full hashes never leave the browser
- Compromised passwords are rejected before the account is created or the password is updated
Security Questions?
Our security team is available to discuss our practices in detail.
security@ataraxiagrc.com