Auditex← Back to site
Security

Security at Auditex

Last updated: April 2026

Auditex is compliance infrastructure for financial institutions. Security is not a feature — it is the foundation. Every architectural decision is made with the assumption that the data we handle is sensitive.

Data isolation

Every tenant's data is isolated at the database level using row-level scoping. No tenant can access another tenant's records under any circumstances.

API keys are scoped to a single tenant. A compromised key cannot be used to access any other tenant's data.

All queries include tenant_id as a mandatory filter — it is architecturally impossible to retrieve cross-tenant data.

Encryption

All data in transit is encrypted using TLS 1.2 or higher. We do not support unencrypted HTTP connections in production.

Data at rest is encrypted using AES-256 on our Postgres database hosted on Railway.

Session tokens are cryptographically signed using a secret key that is rotated periodically.

Immutability

Decision records are written once and cannot be modified or deleted. This is a core architectural constraint, not a policy.

Immutable records provide a verifiable chain of custody from model output to regulatory submission.

Timestamps are recorded at capture time using UTC and cannot be altered after the fact.

Authentication and access

Portal access requires email and password authentication with bcrypt-hashed passwords.

Session management uses signed, server-side cookies with configurable expiry.

Rate limiting is applied to all API endpoints and login attempts to prevent brute force attacks.

Password reset tokens expire after 2 hours and are invalidated after use.

Infrastructure

Production infrastructure is hosted on Railway (US) with automated failover and health monitoring.

Database backups are performed automatically. Point-in-time recovery is available.

We use dependency scanning and keep all packages updated to mitigate known vulnerabilities.

Production environment variables are stored securely and never committed to source control.

Compliance

Auditex is designed to help customers meet EU AI Act, GDPR, SR 11-7, and PIPEDA requirements.

We are working toward SOC 2 Type II certification. Contact us for our current compliance status.

All data processing activities are documented and available to customers on request.

Responsible disclosure

If you discover a security vulnerability in Auditex, please report it responsibly to hello@auditex.ca.

We will acknowledge your report within 24 hours and work to resolve verified issues promptly.

We do not pursue legal action against researchers who report issues in good faith.

Security questions or concerns? Contact us at hello@auditex.ca