Security at Novastraxis

Our infrastructure is owned and operated by Novastraxis across 48 global regions with 180+ points of presence. We do not rely on public cloud providers for our core platform, eliminating shared tenancy risks and giving us complete control over the security of every layer.

Physical Security

• All data centers are SOC 2 Type II audited, purpose-built facilities with 24/7/365 on-site security personnel, biometric access controls (iris and fingerprint), and mantrap entry systems.
• Perimeter security includes vehicle barriers, CCTV surveillance with 90-day retention, intrusion detection sensors, and security patrols at randomized intervals.
• Server rooms enforce dual-person access policies. All hardware access is logged, time-limited, and requires pre-authorized maintenance tickets.
• Environmental controls include redundant HVAC systems, FM-200 fire suppression, water leak detection, and seismic bracing in applicable regions.
• End-of-life hardware undergoes NIST 800-88 compliant media sanitization, including cryptographic erasure and physical destruction, with full chain-of-custody documentation.

Network Security

• Privately-owned dark fiber backbone connecting all regions with no traversal over public internet between data centers. Inter-region traffic is encrypted using MACsec (IEEE 802.1AE) at the link layer.
• Multi-layered DDoS mitigation using Anycast routing, rate-limiting, traffic scrubbing centers, and automated black-hole routing. Capacity exceeds 15 Tbps of sustained mitigation.
• Micro-segmented network architecture using software-defined networking (SDN). Each customer workload operates in an isolated virtual network with cryptographically enforced boundaries.
• Network intrusion detection and prevention systems (IDS/IPS) deployed at every network boundary and inter-segment junction, with signatures updated hourly from our threat intelligence feeds.
• All DNS resolution uses DNSSEC validation and DNS-over-HTTPS (DoH) to prevent DNS spoofing and eavesdropping attacks.

Application Security

• Secure Software Development Lifecycle (SSDLC) integrated into all engineering workflows. Mandatory security reviews for every code change, automated static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) in CI/CD pipelines.
• All APIs enforce authentication, authorization, input validation, rate limiting, and request signing. API keys are rotated automatically and scoped to minimum required permissions.
• Web Application Firewall (WAF) with custom rulesets protects all public-facing endpoints against OWASP Top 10 vulnerabilities, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
• Container images are built from minimal base images, scanned for vulnerabilities before deployment, signed with Sigstore Cosign, and run with read-only file systems, no-root privileges, and restricted syscall profiles (seccomp/AppArmor).
• Runtime application self-protection (RASP) monitors production applications for exploitation attempts, providing an additional layer of defense beyond perimeter controls.

Novastraxis enforces strict access controls based on the principle of least privilege. No employee, system, or process has access to data or systems beyond what is strictly necessary to perform its function.

• Role-Based Access Control (RBAC): Fine-grained, hierarchical RBAC across all platform resources. Over 200 predefined roles with support for custom role definitions. Role assignments are reviewed quarterly by the security team and require managerial approval.
• Multi-Factor Authentication (MFA): MFA is mandatory for all user and administrative accounts. Supported methods include FIDO2/WebAuthn hardware security keys (preferred), TOTP-based authenticator apps, and push notifications. SMS-based MFA is not supported due to SIM swapping risks.
• Single Sign-On (SSO): Enterprise SSO integration via SAML 2.0, OpenID Connect, and SCIM provisioning. Support for all major identity providers including Okta, Azure AD, Google Workspace, and Ping Identity. Just-in-time provisioning and automatic deprovisioning ensure access is always current.
• Privileged Access Management (PAM): All administrative access to production systems uses time-limited, just-in-time credentials issued through our PAM platform. Sessions are recorded, monitored in real-time by the SOC, and subject to random audit review.
• API Security: API authentication via OAuth 2.0 with short-lived access tokens (15-minute TTL). Service accounts use mutual TLS certificates. All API access is logged with immutable audit trails retained for a minimum of three years.

Novastraxis maintains a mature, well-rehearsed incident response program designed to detect, contain, eradicate, and recover from security incidents with minimal impact to customers.

Incident Response Lifecycle

Customer notification timelines comply with all applicable regulations: GDPR (72 hours), HIPAA (60 days), and individual state breach notification laws. Enterprise Critical tier customers receive dedicated incident liaisons and real-time status updates through their private status page.

Novastraxis conducts rigorous, quarterly penetration testing of our platform through independent, CREST-accredited security firms. Our penetration testing program includes:

• External Testing: Network perimeter, web application, API, and mobile application testing from an external adversary perspective. Tests include OWASP Top 10, business logic vulnerabilities, and authentication/authorization bypass attempts.
• Internal Testing: Assume-breach scenarios where testers operate from within the network to assess lateral movement potential, privilege escalation paths, and data exfiltration risks.
• Red Team Exercises: Full-scope adversary simulations conducted bi-annually, including social engineering, physical security, and combined attack vectors targeting specific high-value objectives.
• Cloud Configuration: Infrastructure-as-code review, container security assessment, Kubernetes cluster hardening validation, and IAM policy analysis.

Executive summaries of penetration test results are available to customers under NDA upon request. Remediation timelines are tracked and reported to our Board of Directors quarterly. Enterprise customers may also conduct their own penetration testing against their dedicated environments with prior coordination.

In accordance with our obligations under GDPR Article 28 and our Data Processing Agreements, we maintain a transparent list of subprocessors that may process customer personal data. All subprocessors are contractually bound to data protection obligations no less protective than those in our customer agreements. We provide at least 30 days' advance notice before engaging a new subprocessor.

Last updated: April 11, 2026. To subscribe to subprocessor change notifications, contact privacy@novastraxis.com.