Security

Last updated: August 2025

1. Overview

Fruxon is built with a security-by-design approach. We combine strong data protection controls, least-privilege access, continuous monitoring, and a documented incident response program to safeguard your data. Our goal is to be **SLA-ready** and **audit-friendly** for teams operating in production.

2. Data Encryption

• Encryption in transit using TLS 1.2+.

• Encryption at rest for databases, object storage, and backups.

• Key management via cloud KMS; restricted access and rotation policies.

3. Network & Infrastructure Security

• Environment isolation (prod, staging, dev) with separate networks and secrets.

• Ingress via load balancers and WAF; least-exposed services.

• Hardened baselines; automated infrastructure as code.

• Regular backups with periodic restore testing.

4. Application Security

• Role-Based Access Control (RBAC) and scoped API tokens.

• Input validation, output encoding, and strict dependency pinning.

• Secrets stored in a managed secrets manager; never committed to code.

• Protection against common web risks (authZ/authN, CSRF, SSRF, injection).

5. Secure Development Lifecycle

• Peer reviews and mandatory CI checks for all changes.

• Static analysis (SAST) and dependency scanning in CI.

• Infrastructure-as-code policy checks before deploy.

• Change management with approvals and deterministic versioning.

6. Vulnerability Management & Patching

• Continuous vulnerability scanning of images, hosts, and dependencies.

• Risk-based patching SLAs; emergency patch paths for critical issues.

• Periodic third-party penetration tests (summary available upon request).

7. Identity & Access Management

• SSO/SAML/OIDC for enterprise plans (where supported).

• Least-privilege, just-in-time access; MFA required for production access.

• Strong segregation of duties; auditable access reviews.

8. Logging, Monitoring & Alerting

• Centralized, tamper-resistant logs for auth, changes, and system actions.

• Metrics and traces for performance, errors, and unusual activity.

• 24/7 alerting on critical signals with on-call escalation.

9. Business Continuity & Disaster Recovery

• Documented BCDR plan; regular exercises and post-mortems.

• Redundant infrastructure components and data backups.

• RTO/RPO targets defined by plan and customer tier.

10. Incident Response

We maintain an incident response plan covering triage, containment, eradication, recovery, and post-incident review. Where required, we notify customers and/or authorities.

11. Compliance & Trust

• SOC 2–friendly architecture and controls (audit trails, RBAC, change management).

• Data Processing Addendum (DPA) available for customers that process personal data.

• Privacy practices described in our Privacy Policy.

See: Privacy Policy · DPA · Subprocessors.

12. Subprocessors & Data Transfers

We engage carefully selected subprocessors to provide hosting, analytics, and other services. Each subprocessor is subject to contractual obligations to safeguard data and follow our instructions.

Current list: /subprocessors.

13. Responsible Disclosure

We welcome reports from security researchers. If you believe you’ve found a vulnerability, please email us with details and reproduction steps. Do not access or modify data that does not belong to you, and avoid any actions that could degrade service.

Report issues to security@fruxon.com. If you need to encrypt your message, request our PGP key in that email.

14. Contact

For security questions, incident notifications, or compliance inquiries, contact: security@fruxon.com.