Trust Center

Built to earn your trust.

You are giving Corax access to your infrastructure. That is a serious responsibility. Here is exactly how we handle your data, protect your credentials, and earn the right to operate in your environment.

Security ArchitectureRequest Security Assessment

Compliance certifications

Our compliance roadmap reflects the industries we serve: healthcare, finance, government, and managed services.

SOC 2 Type II

In Progress

Pursuing SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria. Audit engagement underway.

Target: 2026

HIPAA Compliance

Architecture Ready

Platform architecture supports HIPAA requirements: encryption at rest and in transit, audit logging, access controls, and BAA availability. On-premises deployment option for PHI isolation.

Target: Available now

PCI DSS

Architecture Ready

Credential Enclave architecture meets PCI requirements for credential handling. No cardholder data stored in AI context. Automated PCI compliance scanning available via Auditor module.

Target: Available now

ISO 27001

Planned

ISO 27001 certification planned following SOC 2 completion. Information security management system documentation in development.

Target: 2027

How we handle your data

Clear, specific answers about data storage, access, processing, and retention.

Data Storage

  • PostgreSQL database with SSL/TLS encryption in transit
  • AES-256-GCM encryption for credentials at rest
  • Redis with TLS for caching and job queues
  • Data residency: US East (default), on-premises option available
  • Automated backups with point-in-time recovery

Data Access

  • Organization-scoped queries enforce tenant isolation
  • Role-based access control with least-privilege defaults
  • Platform admin access requires explicit impersonation (audit-logged)
  • No shared database credentials between tenants
  • API authentication via Auth0 JWT with custom domain

Data Processing

  • AI engine never receives credential values (Credential Enclave)
  • Telemetry data processed within tenant boundary
  • LLM governance controls restrict AI provider routing per org
  • On-premises AI inference available for regulated environments
  • Post-execution leak scanning on all AI output

Data Retention

  • Configurable retention policies per organization
  • Default audit log retention: 7 years (enterprise)
  • Litigation hold support prevents deletion of held records
  • Account deletion removes all org data within 30 days
  • No data shared with third parties for training or analytics

Privacy principles

Minimal Data Collection

Corax collects only the data necessary to monitor and manage your infrastructure. We do not sell, share, or use customer data for advertising, training AI models, or any purpose beyond delivering our service.

Your Data, Your Control

You own your data. Export it at any time. Delete your account and all data is purged within 30 days. Enterprise customers can deploy fully on-premises so data never leaves their network.

Transparent AI

Every AI decision is logged with full reasoning. You can review what Corax detected, how it triaged, what it decided, and why. No black box. A 5-agent deliberation quorum explains its reasoning before critical actions.

Vendor security assessment

We understand that adopting a new platform requires due diligence. We are happy to complete your vendor security questionnaire, provide architecture documentation, schedule a technical deep-dive with your security team, or arrange a penetration test review. Whatever your procurement process requires, we will support it.

Security questionnaires Architecture review Pen test reports BAA available

Ready to evaluate Corax?

Book a security-focused demo or send us your vendor assessment questionnaire. We will get it back to you within 48 hours.

Book a Security DemoSecurity Architecture