Trust & Security

Security is not a feature.
It is the foundation.

HIP" processes the most sensitive data in existence  clinical records, financial transactions, patient identities, and institutional intelligence. Every architecture decision, every access control, and every encryption key reflects one operating principle: your data deserves infrastructure built for that responsibility.

All systems operational
🟢 No active incidents
Uptime 99.97% (30d)
Last pen test: Q4 2024
SOC 2 Type II certified
AES-256
Encryption
at rest
TLS 1.3
Transit
protocol
24/7
SOC
monitoring
MFA
All access
enforced
RBAC
Least
privilege
ZERO
TRUST
Network
architecture
SOC 2
Type II
certified
DAST
+SAST
Annual
pen test
HIPAA Aligned
SOC 2 Type II
GDPR / UK GDPR
ISO 27001 Aligned
NIST CSF 2.0
OWASP Top 10
CIS Controls v8
PCI DSS Aligned
🔐
Encryption
At rest, transit, per-tenant
🛡
Access Control
Zero Trust · RBAC · MFA
🌐
Infrastructure
Network isolation · WAF · DDoS
👁
Monitoring
24/7 SOC · SIEM · Audit logs
🔄
Resilience
DR · BCP · 99.9% SLA
Data encryption
Every byte protected  at rest, in transit, and in process

HIP" applies layered encryption throughout the entire data lifecycle. No data is ever stored or transmitted without encryption  this is a hard architectural constraint, not a configuration option.

L5
Application Layer
Field-level encryption
Sensitive PHI fields encrypted at the application layer before persistence. Searchable encryption for query support without decryption.
AES-256-GCMField-level
L4
Database Layer
Storage encryption
All databases encrypted at rest with AES-256. Per-tenant keys managed via dedicated KMS. Key rotation on schedule or on demand.
AES-256KMS
L3
Transit Layer
TLS 1.3
All data in transit encrypted via TLS 1.3 with perfect forward secrecy. Older TLS versions explicitly disabled. HSTS enforced.
TLS 1.3PFSHSTS
L2
Volume Storage
Disk encryption
All block and object storage volumes encrypted at the infrastructure level. Encryption keys managed independently from data.
AES-256LUKS
L1
Backup & Archive
Backup encryption
All backups encrypted before transfer to backup destinations. Backup encryption keys stored separately from backup data.
AES-256Offsite keys
🔑
No plaintext, anywhere, ever
Encryption is applied architecturally. It cannot be disabled by configuration, user action, or administrator override at any layer. PHI is de-identified before use in any analytics function that does not require identified data.
Key Management System (KMS)
Architecture
Per-tenant key isolation
Key type
AES-256-GCM + RSA-4096
Rotation
Annual (auto) + on-demand
Customer keys
BYOK (Enterprise)
HSM backing
FIPS 140-2 Level 3
Key storage
Separate from data
Cipher suite policy
Allowed: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
Disabled: TLS 1.0, TLS 1.1, SSL 3.0, RC4, DES, MD5, SHA-1
Certificate CT log monitoring + OCSP stapling on all public endpoints
Certificates rotated every 90 days automatically with zero-downtime deployment
Access control & identity
No one gets in without proving who they are  and why they need access

HIP" applies defense-in-depth access: Zero Trust at the network layer, RBAC at the application layer, and least-privilege at the data layer. Every access decision is logged immutably.

🔐
Multi-Factor Authentication
MFA enforced  no exceptions
All platform access  every user, every role, every administrator  requires MFA. There is no bypass path, including for emergency or support access.
TOTP (RFC 6238) and hardware security keys (FIDO2/WebAuthn) supported
SMS-based OTP not permitted for healthcare data environments
SSO via SAML 2.0 and OIDC for enterprise IdPs (Azure AD, Okta, Ping)
Progressive lockout and CAPTCHA for brute-force protection
🗂
Role-Based Access Control
Least privilege, enforced by architecture
Every user's data access is scoped to the minimum required for their role. PHI and clinical data requires explicit role assignment  no data accessible by default after authentication.
ABAC layer for fine-grained data scoping below the role level
Separation of duties: no single user approves and executes sensitive actions
Time-limited access grants with automatic expiry for project-based access
Privileged access management (PAM) for all administrative access
📋
Session & Token Management
Every session controlled and audited
Sessions are cryptographically signed, time-bounded, and subject to continuous behavioral monitoring. Anomalous activity triggers automatic termination.
JWT tokens: 15-min access tokens, 8-hour refresh tokens
Automatic session termination on inactivity (default: 30 minutes)
Concurrent session limits per user and per role classification
Impossible travel detection flags anomalous geographic patterns
🔍
Privileged Access Management
No standing admin access  ever
CRUXIO" engineers have zero standing access to production systems. All privileged access is just-in-time, requires multi-party approval, is time-limited, and fully recorded.
JIT access provisioning for all production PHI environments
Dual-approval workflow for all privileged PHI access grants
All admin sessions recorded with command-level audit trail
Break-glass procedures require executive authorization and trigger immediate alerts
🔒
Zero Trust Network Architecture
Never trust. Always verify. Continuously validate.
Verify explicitly
Every access request authenticated against all available signals: identity, location, device health, service classification, and behavioral anomalies.
Least-privilege access
JIT and just-enough-access policies limit lateral movement. Users and services receive minimum access for minimum time necessary.
Assume breach
All traffic treated as potentially hostile regardless of source. Micro-segmentation and continuous monitoring assume perimeter defences may fail.
Network & infrastructure
Defense in depth  layered protection from edge to core

HIP" infrastructure uses a layered security model. A breach of one layer does not cascade into full system compromise. Five independent protection layers defend the data plane.

L1
DDoS & Edge Protection
Always active
Multi-Tbps DDoS protection at the network edge. Anycast routing distributes attack traffic globally. Automatic mitigation within 1 second. Rate limiting on all public API endpoints.
Cloudflare / AWS ShieldBGP filteringGeoIP controls
L2
Web Application Firewall (WAF)
Always active
Managed WAF rules covering OWASP Top 10, injection attacks, XSS, CSRF, path traversal, and healthcare-specific attack signatures. Custom rules tuned for HIP" API surface.
OWASP Top 10Custom rulesetsBot management
L3
Network Segmentation
Micro-segmented
Production, staging, and development environments in separate VPCs with no cross-environment routing. PHI environments micro-segmented by service and data classification.
VPC isolationSecurity groupsNACLsPrivate subnets
L4
Intrusion Detection & Prevention (IDS/IPS)
24/7
Network-level IDS/IPS monitors all east-west traffic. Host-based IDS on all PHI-containing servers. Behavioral anomaly detection identifies lateral movement and exfiltration patterns.
NIDS/HIDSBehavioral analyticsUEBA
L5
API Security Gateway
All traffic
All API traffic routes through a managed security gateway enforcing authentication, rate limiting, schema validation, and request/response inspection before any backend service is reached.
OAuth 2.0 / OIDCmTLSRate limitingSchema validation
Live
Infrastructure status
Platform uptime (30d)99.97%
API availability (30d)99.94%
Avg API response142ms
RTO target< 4 hours
RPO target< 1 hour
US East (Primary)
Operational
EU West (GDPR zone)
Operational
AP South (India/APAC)
Operational
ME Central (UAE/KSA)
Operational
AP Pacific (Australia)
Operational
Security operations center
24/7 intelligence  threats detected before they become incidents

CRUXIO"'s security operations function combines SIEM-powered automated detection with human analyst review around the clock.

👁
Continuous monitoring
SIEM-driven detection + human SOC review
SIEM & log correlation
All application, system, network, and security logs aggregated in real-time SIEM. Correlation rules detect multi-stage attack patterns, anomalous access sequences, and data outliers. Alerts triaged within 15 minutes.
User and entity behavior analytics (UEBA)
Baseline behavioral profiles per user and service account. ML detects deviations  unusual data volumes, off-hours activity, geographic anomalies, and bulk export attempts.
Threat intelligence feeds
Real-time threat intelligence cross-referenced against observed network activity. Known malicious IPs, domains, and file hashes blocked automatically.
Cloud security posture management (CSPM)
Continuous scanning of cloud infrastructure configurations against CIS Foundations benchmarks. Misconfiguration alerts generated within minutes. Policy-as-code prevents drift.
Endpoint detection & response (EDR)
EDR agents on all servers processing PHI. Behavioral detection identifies fileless malware, living-off-the-land techniques, and process injection attacks missed by signature-based AV.
Security event feed
Live SOC view
Automated patch deployed  CVE-2024-XXXX
Resolved
2m ago
Certificate rotation completed  api.cruxio.co
Done
8m ago
Rate limit triggered  IP 185.x.x.x blocked
Blocked
14m ago
MFA challenge succeeded  admin login US-East
Verified
22m ago
Unusual export volume  UEBA alert ’ closed benign
Closed
41m ago
Backup integrity check passed  all regions
Verified
1h ago
📋
Immutable audit logs  six years
Every access event, configuration change, and API call is recorded in append-only, cryptographically verified audit logs. Logs cannot be modified or deleted by any user or administrator  including CRUXIO" staff. Retained for 6 years.
Vulnerability management
Find it before attackers do  and fix it faster

Continuous automated scanning combined with annual third-party penetration testing and a public responsible disclosure program.

🔍
Testing & assessment program
Daily
Automated DAST scanning
Dynamic application security testing against all public-facing endpoints. OWASP ZAP plus custom scanners against authenticated API surfaces. Findings triaged by CVSS score.
Continuous
Daily
Dependency & SCA scanning
Software composition analysis on all third-party dependencies. Automated PRs for dependency updates with known CVEs. SBOM maintained for all production components.
Automated
Each PR
SAST in CI/CD pipeline
Static analysis runs on every pull request. Code cannot merge to main with critical or high severity findings unresolved. Secrets scanning prevents credential leakage.
Blocking gate
Weekly
Infrastructure vulnerability scan
Authenticated vulnerability scanning of all cloud infrastructure, servers, containers, and network devices. Findings tracked to closure with defined SLAs by severity.
Scheduled
Annual
Third-party penetration test (DAST+SAST+Network)
Full-scope penetration test by a qualified third-party security firm. Last conducted: Q4 2024. No critical findings outstanding. Report available under NDA.
Q4 2024  Clean
Annual
SOC 2 Type II audit
Annual audit by independent CPA firm covering Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Report available under NDA.
Certified
Vulnerability remediation SLAs
Critical (CVSS 9.0+)
Immediate response
24 hours
Patch or compensating control deployed within 24 hours. Executive notification required.
High (CVSS 7.0-8.9)
Urgent remediation
7 days
Patch applied within 7 days. Written sign-off required for any schedule extension.
Medium (CVSS 4.0-6.9)
Standard remediation
30 days
Patch deployed within next release cycle or 30 days, whichever is sooner.
Low (CVSS < 4.0)
Planned remediation
90 days
Tracked in security backlog for resolution within 90 days or accepted with documented risk treatment.
📊
Q4 2024 pen test results
Critical: 0 outstanding  ·  High: 0 outstanding  ·  Medium: 2 (both remediated <14 days)  ·  Low: 7 (in backlog). Full report available under NDA to enterprise Clients.
Data sovereignty & residency
Your data stays where your regulations require it

Healthcare data is subject to strict jurisdictional requirements. CRUXIO" supports data residency in every market we operate, with sovereign and on-premises options for the most demanding regulatory environments.

🇺🇸
United States
US-East region (AWS/GCP)
PHI stored in HIPAA-eligible US-East infrastructure. No cross-border transfer of identifiable health data without explicit BAA authorization. FedRAMP-aligned controls for government programs.
🇬🇧
United Kingdom
UK region (London)
NHS and private health data in UK data centers. UK GDPR compliant. NHS DSPT aligned. No transfers outside UK without ICO-approved mechanisms.
🌍
MEENA Region
UAE / Saudi Central
UAE and KSA health data processed in-country per PDPL and MOH requirements. HAAD and DHCC compliant. Sovereign cloud deployment available for government programs.
🇦🇺
Australia
AP-Southeast (Sydney)
Australian health data under Privacy Act 1988 and My Health Records Act. Data stored within Australia for all deployments. ADHA-aligned data handling practices.
🇮🇳
India
AP-South (Mumbai)
Indian health data under DPDPA 2023 and ABDM framework. Sensitive personal data including health data stored on Indian-resident infrastructure by default.
🏛
Sovereign / On-Premises
Government & national programs
Air-gapped or on-premises deployment for government health schemes, national registries, and sovereign health programs requiring complete data control.
☁️
SaaS Cloud
Multi-tenant, region-selected, fully managed by CRUXIO"
🔀
Hybrid Cloud
Data in-country, compute in cloud, Client controls data plane
🏢
Private Cloud
Dedicated tenant infrastructure  no shared compute or storage
🖥
On-Premises
Client-hosted, air-gapped option for sovereign and government programs
Compliance frameworks
Global standards. Implemented, not claimed.

CRUXIO"'s security program is aligned with the leading global security and privacy frameworks. Every framework listed is actively implemented.

🇺🇸
SOC 2 Type II
AICPA Trust Services Criteria
Annual SOC 2 Type II audit covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Report available under NDA to enterprise Clients.
Certified  2024
🏥
HIPAA / HITECH
Privacy, Security & Breach Notification
Full HIPAA compliance as Business Associate  Privacy Rule, Security Rule, and Breach Notification Rule. BAA executed with all US healthcare clients before PHI access.
Fully aligned
🇪🇺
GDPR / UK GDPR
EU & UK Data Protection Regulations
GDPR-compliant data processing with DPA for all EU/UK Clients. UK GDPR representative designated. SCCs and UK adequacy mechanisms for cross-border transfers.
Fully aligned
🔒
ISO/IEC 27001
Information Security Management
ISMS designed against ISO/IEC 27001:2022 Annex A controls. Current security program meets or exceeds all Annex A control objectives. Formal certification in progress.
Aligned  cert 2025
🏛
NIST CSF 2.0
Identify · Protect · Detect · Respond · Recover
Security program mapped to all five NIST CSF functions. Risk management aligned with NIST SP 800-30. Control baselines aligned with NIST SP 800-53 Rev 5.
Fully aligned
⚙️
CIS Controls v8
Critical Security Controls  IG2 & IG3
All 18 CIS Critical Security Controls implemented. IG2 standard applied for enterprise healthcare environments. IG3 controls implemented for PHI-processing systems.
IG2 complete · IG3 active
Incident response
When something goes wrong  fast, transparent, complete

Our incident response plan is tested annually, approved by executive leadership, and documented to NIST SP 800-61 standards.

1
Detection & Identification
Automated detection via SIEM, IDS/IPS, and UEBA. Manual reporting via security@cruxio.co. All alerts treated as potential incidents until investigated.
Target: 15 min alert-to-triage
2
Containment
Short-term containment (isolate affected systems, revoke compromised credentials, block malicious IPs) within 1 hour of confirmation. Long-term plan documented within 4 hours.
Target: < 1 hour for containment
3
Eradication
Root cause identified and eliminated. Malware removed, vulnerabilities patched, compromised accounts reset. Full forensic analysis before returning systems to production.
Complete before recovery begins
4
Recovery
Systems restored from clean backups. Enhanced monitoring applied post-recovery. Staged return to production with verification at each phase against RTO/RPO targets.
RTO < 4h · RPO < 1h
5
Post-Incident Review
Written report within 5 business days: timeline, root cause, impact, and remediation actions. Lessons learned integrated into security program. Client-facing report provided where required.
Report within 5 business days
🚨
Breach notification timelines
Internal commitments  exceeding statutory minimums
72h
Notify affected Client
Our internal target  72 hours of confirming a breach. Well below the 60-day HIPAA statutory maximum.
72h
GDPR supervisory authority
Where GDPR applies, notify the relevant authority (e.g., ICO) within 72 hours of becoming aware. (GDPR Art. 33)
≤60d
HIPAA statutory maximum
HIPAA requires BA to notify Covered Entity within 60 days of breach discovery. Our 72-hour target is far faster.
5d
Full incident report to Client
Complete written report  timeline, root cause, PHI affected, individuals impacted, and remediation  within 5 business days.
Responsible disclosure program
Found a vulnerability? Tell us  we welcome it.

Security researchers who discover vulnerabilities in CRUXIO" systems are our partners in protecting healthcare data. We operate a clear, fair disclosure program with safe harbor for good-faith researchers.

01
Discover & document
Reproduce the vulnerability and document clearly  steps to reproduce, potential impact, and evidence. Do not access, exfiltrate, modify, or destroy data beyond what is necessary to demonstrate the issue.
Minimum necessary testing only
02
Report privately
Email your report to security@cruxio.co. Include your name (optional), contact details, and a clear description. Do not disclose publicly until we confirm remediation.
PGP key available on request
03
We acknowledge & investigate
We acknowledge all valid vulnerability reports within 5 business days. Our security team investigates, replicates, and assesses severity. We keep you informed and provide a remediation timeline.
Acknowledgment within 5 days
04
Remediation & credit
We remediate confirmed vulnerabilities per our SLA schedule. With your permission, we publicly credit your contribution in our security hall of fame.
Public credit with permission
Report a vulnerability
Safe harbor protections apply for researchers acting in good faith in accordance with this program.
Security disclosure email
security@cruxio.co
General security enquiries
info@cruxio.co
In scope
cruxio.coapi.cruxio.coapp.cruxio.coHIP" Platform
Out of scope
Social engineeringPhysical attacksDoS / DDoS
Report a vulnerability ’
Safe harbor · No legal action for good-faith research · Confidential treatment
Our security commitment
Security is our operating condition.

We process the most sensitive data in healthcare. That responsibility shapes every line of code, every infrastructure decision, and every policy we write. Security is not a product feature  it is the operating condition under which every part of CRUXIO" is built and run.

Request security docs ’ Contact security team
🔐
AES-256 + TLS 1.3  no plaintext, anywhere
Hard architectural constraint. Encryption cannot be disabled by configuration, user action, or administrator override at any layer.
🛡
Zero standing admin access to production
No CRUXIO" engineer has standing access to production PHI environments. All access is JIT, approved, time-limited, and recorded.
📋
SOC 2 Type II + annual third-party pen test
Not self-assessed. Independent third-party auditors verify our security controls. Pen test reports available to Clients under NDA.
🌐
Data stays in your jurisdiction
Region-specific infrastructure across US, UK, EU, MEENA, India, and Australia. Sovereign and on-premises deployment for mandated data localization.
🚨
72-hour breach notification  always
Our internal commitment: notify you within 72 hours of confirming a breach. Faster than any regulatory minimum requires.
Security-first healthcare intelligence
For security documentation, SOC 2 reports, pen test summaries, or architecture reviews, contact info@cruxio.co. All documentation provided under NDA to qualified enterprise Clients.
SOC 2 Type II
HIPAA Aligned
ISO 27001
NIST CSF 2.0
CIS Controls v8
OWASP Top 10
AES-256
TLS 1.3
Zero Trust
GDPR / UK GDPR