Security at Ataraxia GRC

Infrastructure & Hosting

• Hosted on Vercel (SOC 2 compliant)
• Database on Supabase (SOC 2 Type II, encrypted at rest with AES-256)
• All data encrypted in transit via TLS 1.2+
• Cloudflare DNS and DDoS protection

Authentication & Access

• Supabase Auth with TOTP multi-factor authentication
• Session management with 24-hour inactivity timeout
• Role-based access control (Owner, Admin, Contributor, Viewer)
• All sessions require re-authentication on new devices

Data Protection

• Row-Level Security (RLS) on all database tables
• Organization-scoped data isolation — no cross-tenant access
• Evidence files stored in private buckets with signed URLs (15-minute expiry)
• No CUI (Controlled Unclassified Information) stored on our platform — Ataraxia is a compliance management tool, not a CUI repository

Application Security

• Input validation on all API endpoints
• Rate limiting on all routes
• Content Security Policy headers
• CSRF protection on mutation endpoints
• Regular dependency auditing
• Immutable audit trail for all compliance data changes

Compliance

• Pursuing SOC 2 Type II certification
• GDPR and CCPA compliant data handling
• Data export and deletion available on request
• 3-year audit trail retention

Incident Response

• Security incidents are investigated within 24 hours
• Affected customers notified within 72 hours
• Post-incident reports provided for material incidents

For our full incident response procedures, see our Incident Response Policy.

Responsible Disclosure

Report vulnerabilities to security@ataraxiagrc.com. See our Vulnerability Disclosure Policy for details.

Contact

Security questions: security@ataraxiagrc.com