BoundrixAI

Security Architecture

Defense-in-depth woven into every layer of the stack.

Row-Level Security (RLS)

We don't just rely on application logic. Every query is scoped by `organization_id` at the Postgres kernel level, mathematically proving tenant isolation.

Envelope Encryption

Sensitive provider credentials are encrypted using AES-256-GCM with unique Initialization Vectors (IVs) per record. Keys are managed separately from data.

Non-Recoverable Secrets

Boundrix API keys are stored as cryptographic hashes. We literally cannot see your API keys after they are generated.

Immutable Audit Logs

Critical actions (Contract Changes, Member Invites, Policy Overrides) are written to a tamper-evident append-only ledger (`audit_logs`) for compliance forensics.

Compliance Roadmap

  • SOC 2 Type II: We have implemented all requisite controls (Audit Logs, RLS, Encryption) and are currently preparing for our inaugural audit window (Q3 2026).
  • GDPR/CCPA: Platform architecture supports full data subject rights (Right to be Forgotten) and region-locking for EU/US residency.
  • Penetration Testing: We conduct internal gray-box assessments and are scheduling third-party validation.

Vulnerability Disclosure

We operate a private vulnerability disclosure program. If you identify a potential security issue, please contact us at security@boundrix.ai.