Trust Center
Noxys is designed with security and compliance as core principles. This page outlines our security posture, certifications, and regulatory roadmap.
Security Architecture
Zero-Trust Design
Noxys implements zero-trust principles:
- No implicit trust: Every request requires authentication and authorization
- Least privilege: Users and services have minimal required permissions
- Defense in depth: Multiple security layers protect data
- Continuous verification: Policies are re-evaluated for every interaction
Data Security
- Privacy by default: Raw prompts never stored, only SHA-256 hashes
- Encryption in transit: TLS 1.3 for all data in motion
- Encryption at rest: Optional full-disk encryption or application-level encryption
- No third-party data sharing: EU-only processing, zero US cloud presence
Network Security
- Private networks: Backend services run in private subnets (no direct internet access)
- Firewalls: Strict ingress/egress rules at the network level
- Rate limiting: API endpoints protected from brute-force attacks
- DDoS protection: Available through Cloudflare or AWS Shield
Certifications & Audits
Current Certifications
| Certification | Status | Details |
|---|---|---|
| ISO 27001 | Roadmap (Q3 2026) | Information security management |
| SOC 2 Type II | In progress (Q2 2026) | Security, availability, confidentiality |
| GDPR | Compliant | Data protection & privacy |
| EU AI Act | Compliant | Regulatory oversight of AI systems |
Third-Party Audits
- Annual security audits: Scheduled with external firm
- Penetration testing: Quarterly red-team exercises
- Vulnerability assessments: Continuous scanning for vulnerabilities
- Code reviews: All code changes reviewed by 2+ engineers
Compliance Roadmap
Q2 2026:
- SOC 2 Type II audit completion
- Security policy documentation published
- Incident response plan published
Q3 2026:
- ISO 27001 certification
- HIPAA readiness assessment
- PCI-DSS documentation
Q4 2026:
- HIPAA certification (if customer demand)
- NIS2 directive compliance mapping
- Multi-region penetration testing
GDPR Compliance
Noxys is designed to help you be GDPR compliant:
| Requirement | Implementation |
|---|---|
| Data minimization | Only hashes and metadata stored, not raw content |
| Encryption | TLS 1.3 in transit, optional at rest |
| Right to erasure | Delete all user data with one API call |
| Data portability | Export data as JSON/CSV |
| Audit trails | All actions logged and immutable |
| Data residency | EU data centers only, zero US presence |
| Consent management | User consent tracked and versioned |
Data Processing Agreement
To execute a Data Processing Agreement (DPA), contact sales@noxys.eu. Noxys acts as a data processor; you are the controller.
EU AI Act Compliance
Noxys helps you comply with the EU AI Act:
Prohibited AI Systems (Article 4)
Noxys policies can enforce a ban on prohibited use cases:
- Subliminal messaging
- Real-time biometric identification (with exceptions)
- Social credit scoring without legal basis
High-Risk AI Systems (Article 9)
Noxys logs all AI usage with:
- User identity
- AI platform and model
- Content classification (PII, risk level)
- Policy decision (blocked, coached, logged)
- Timestamp
For audit trail: Dashboard → Audit Log → Export
Transparency Requirements (Article 13-14)
Noxys provides:
- Clear policy documentation
- Audit trail of all decisions
- User notifications (via extension warnings)
- Admin dashboards for oversight
NIS2 Directive
For critical infrastructure, Noxys supports NIS2 requirements:
| Requirement | Implementation |
|---|---|
| Asset management | Full inventory of policies and users |
| Access control | RBAC (Admin/Viewer roles) + LDAP/SAML |
| Encryption | End-to-end TLS, optional at-rest encryption |
| Incident detection | Real-time alerts via webhooks |
| Audit logging | 1-year retention, immutable |
| Business continuity | Automated backups, disaster recovery plan |
Data Residency
EU-Only Infrastructure
All Noxys Cloud deployments are in the EU:
| Region | Provider | Location |
|---|---|---|
| Primary | AWS eu-west-1 | Ireland |
| Secondary | Azure westeurope | Netherlands |
| Tertiary | GCP europe-west1 | Belgium |
No data is stored in the US or transmitted to US-based services (except with explicit user consent).
Self-Hosted Data Sovereignty
For maximum control, self-host Noxys entirely on your infrastructure:
Your VPC / On-Premise → Noxys → Your Database
(completely isolated)
Zero external dependencies, zero data leaving your network.
Encryption Standards
In Transit (TLS)
Protocol: TLS 1.3 (mandatory)
Ciphers: AEAD (AES-256-GCM recommended)
Certificate: X.509 v3
Verification: Full certificate chain validation
At Rest (Optional)
Algorithm: AES-256-GCM or equivalent
Key management: Customer-managed KMS keys
Vault: HashiCorp Vault (optional)
Rotation: 90-day key rotation policy
Hashing
Algorithm: SHA-256
Use case: Prompt fingerprinting (one-way)
Non-reversible: Cannot recover original prompt
Access Control
Role-Based Access Control (RBAC)
| Role | Permissions |
|---|---|
| Admin | Create/edit policies, manage users, view audit logs, configure integrations |
| Viewer | View dashboards, interactions, audit logs (read-only) |
Single Sign-On (SSO)
Supported providers:
- Microsoft Entra ID (Azure AD)
- LDAP / Active Directory
- SAML 2.0 (any provider)
- OIDC (OpenID Connect)
Multi-Factor Authentication (MFA)
Coming in v0.5:
- TOTP (Time-based One-Time Password)
- Hardware security keys (FIDO2/U2F)
- SMS (optional)
Vulnerability Management
Responsible Disclosure
If you discover a security vulnerability:
- Email security@noxys.eu (monitored 24/7)
- Do not disclose publicly or in GitHub issues
- Include: Details, reproduction steps, affected versions
- Expect: Response within 24 hours for critical issues
Disclosure Policy
- Critical: Fix within 48 hours, security advisory within 72 hours
- High: Fix within 7 days, advisory within 10 days
- Medium: Fix within 30 days
- Low: Fix in next release
Vulnerability Tracking
- Scanning: Continuous scanning with tools like Snyk, Dependabot
- Patching: Immediate patching of critical dependencies
- Transparency: Security advisories published at https://security.noxys.eu
Security Practices
Development
- Code review: All changes reviewed by 2+ engineers
- SAST: Static analysis with Semgrep, SonarQube
- DAST: Dynamic testing in staging environment
- Dependency scanning: Continuous updates to dependencies
Operations
- Secrets management: HashiCorp Vault or cloud provider KMS
- Infrastructure as code: Terraform / Helm for reproducible deployments
- Monitoring: 24/7 monitoring with alerts
- Incident response: Documented runbooks for all critical scenarios
Personnel
- Background checks: For all employees with data access
- Training: Annual security awareness training
- Least privilege: Access limited to what's needed
- Logging: All privileged actions logged and audited
Compliance Checklist
Use this to verify Noxys alignment with your security requirements:
- ✅ Data never leaves EU (cloud) or stays on-premise (self-hosted)
- ✅ Raw prompts never stored, only SHA-256 hashes
- ✅ TLS 1.3 encryption in transit
- ✅ Optional full-disk encryption at rest
- ✅ GDPR-compliant data handling
- ✅ EU AI Act compliance features
- ✅ Audit logging (immutable, 1-year retention)
- ✅ RBAC with SSO support
- ✅ Backup & disaster recovery
- ✅ Incident response plan
- ✅ Vulnerability disclosure program
- ✅ Regular security audits
Security Resources
- Security Policy: [Available on request]
- Privacy Policy: https://noxys.eu/privacy
- Terms of Service: https://noxys.eu/terms
- Incident Response: See "Reporting a Security Issue" below
- Compliance documentation: sales@noxys.eu
Reporting a Security Issue
DO NOT post security vulnerabilities in public channels.
Responsible Disclosure
Email security@noxys.eu with:
- Title: Concise vulnerability description
- Description: Technical details and impact
- Reproduction: Steps to reproduce (if applicable)
- Affected versions: Which Noxys versions are affected
- Fix suggestion (optional): If you have a fix in mind
Response Timeline
- Immediate: Security team acknowledges receipt (within 1 hour)
- 24 hours: Initial assessment and impact rating
- 48 hours: Security fix released (critical only)
- 10 days: Public security advisory (after fix is deployed)
Bug Bounty Program
Currently, Noxys does not offer a formal bug bounty program. However, we recognize and credit security researchers in our security advisories.
Next Steps
Questions about our security posture? Email security@noxys.eu or sales@noxys.eu