Security & data handling.

Soxom runs on AWS in the us-east-1 region. The application tier (Fastify API on ECS Fargate, static SPA on CloudFront) sits behind an Application Load Balancer in a VPC with private subnets. PostgreSQL runs on managed RDS with multi-AZ failover. Redis runs on ElastiCache with restricted security-group access.

All traffic is encrypted in transit with TLS 1.2 or higher — both at the CloudFront edge and the ALB. Data at rest is encrypted on every persistence layer: RDS (Postgres) with AWS-managed KMS keys, ElastiCache (Redis) with at-rest encryption, and S3 buckets with SSE-S3.

User authentication is handled by WorkOS AuthKit — OAuth-based sign-in with sealed session cookies. Programmatic API access uses bearer tokens that are SHA-256 hashed before storage (we never store the plaintext). GitHub access flows through a GitHub App with installation-scoped tokens; you control which repos Soxom can see at install time.

Soxom orchestrates code generation and release flows in your GitHub repositories — your source of truth, not ours. Publishing to PyPI, Maven Central, npm, and other registries runs in your own GitHub Actions, using your secrets. Soxom never holds your registry credentials. The customer-owned release.yml we emit can use OIDC or repo secrets — your choice.

We rely on a small set of audited sub-processors:

• AWS — application, database, and storage hosting
• Stripe — billing and payment processing
• WorkOS — authentication and SSO
• Postmark — transactional email
• GitHub — repository hosting (your account, our GitHub App)

We're an early-stage company and do not yet hold SOC 2 or ISO 27001 certifications. We're committed to pursuing SOC 2 Type II within the next 12 months. In the meantime, we're happy to share our security controls in detail under NDA — contact security@soxom.com.

PostgreSQL backups run automatically via RDS — daily snapshots with point-in-time recovery, 7-day retention in staging and 30-day retention in production. Snapshots are encrypted with AWS-managed KMS keys. Our recovery objectives are RPO ≤ 5 minutes and RTO ≤ 1 hour. We test restores quarterly.

All customer data is currently stored in AWS us-east-1. EU and other regional residency options are on our roadmap for enterprise customers — contact us if regional residency is a requirement.

On organization termination, we delete all customer data — project metadata, build artifacts, audit logs, and SDK target records — within 30 days. Your GitHub repositories are owned by your GitHub account and remain under your control; Soxom does not retain copies after termination.

Every state-changing action — build trigger, release, member invite, API key rotation, billing change — is recorded in our AuditLog with user or API-key attribution, timestamp, and source IP. Audit logs are retained for 1 year and are exportable on request.

We plan to run our first third-party penetration test in 2026, with an annual cadence thereafter. Reports will be available under NDA to enterprise customers.

We offer a standard Data Processing Agreement covering GDPR and UK-GDPR obligations, a Master Services Agreement for procurement teams, and NDAs on request. Reach hello@soxom.com for procurement-ready paperwork.

Report security issues to security@soxom.com. We follow responsible disclosure: please give us a reasonable opportunity to investigate and remediate before public disclosure, and we'll respond promptly with an acknowledgement and timeline.