Security
Trust Center
AuditGuardX is built for organizations that handle sensitive compliance data. Security is not a feature, it is the foundation on which everything else is built.
Compliance Status
AuditGuardX implements SOC 2 Type II controls and is working toward formal certification. We believe in transparency, the status below reflects our honest current state.
SOC 2 Type II
Controls implemented
Formal audit in progress
Data Encryption
AES-256 at rest, TLS 1.3 in transit
All data paths encrypted
Infrastructure
Google Cloud Platform
SOC 1/2/3, ISO 27001, FedRAMP certified
Security Practices
How we protect your data at every layer.
Encryption
- •TLS 1.3 for all data in transit
- •AES-256 encryption at rest for documents and database
- •Encrypted AI inference pipelines (Cerebras, Groq, Gemini)
- •Secure key management via Google Cloud KMS
Access Control
- •Role-based access control (RBAC) - Owner, Admin, Member, Viewer
- •WorkOS SSO with SAML 2.0, OIDC, and SCIM provisioning
- •Session-based authentication with bcrypt password hashing
- •Multi-organization and multi-workspace isolation
Monitoring & Logging
- •Comprehensive audit logs for all administrative actions
- •Real-time WebSocket monitoring for document and compliance events
- •Automated alerting for security-relevant events
- •Activity tracking per user, workspace, and organization
Infrastructure
- •Google Cloud Run fully managed, auto-scaling container platform
- •Cloud SQL (PostgreSQL 16) with pgvector for embeddings
- •Memorystore (Redis) for session management and job queues
- •Google Cloud Storage for encrypted document persistence
Data Handling
How customer data is isolated, processed, and retained.
Multi-tenant isolation
Each organization and workspace is logically isolated at the database level. No cross-tenant data access is possible.
Document processing
Documents are processed in isolated pipelines. Text extraction, chunking, and AI analysis occur in ephemeral compute contexts.
Data retention
Customer data is retained for the duration of the subscription. Data is permanently deleted within 30 days of contract termination.
Backup & recovery
Automated daily backups with point-in-time recovery. Database replication across Google Cloud availability zones.
Subprocessors
Third-party services that process data on our behalf.
| Service | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure for compute, storage, database, networking | United States (configurable regions) |
| Stripe | Payment processing and subscription billing | United States |
| WorkOS | Enterprise SSO, SCIM directory sync, SAML/OIDC | United States |
| Groq | Ultra-low latency AI inference for fast text generation | United States |
| Vertex AI | Multi-modal AI inference with text, image, and audio analysis | United States / Europe |
Incident Response
We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Security incidents are communicated to affected customers within 72 hours per GDPR Article 33 requirements.
To report a security concern, contact security@auditguardx.com.
Need security documentation?
We provide security questionnaire responses, SOC 2 control descriptions, and data processing agreements on request. Contact our security team to get started.