Your data is our responsibility
Praxiss is built with security at every layer. From infrastructure to application code, we protect your people data with the same rigour we'd expect for our own.
Infrastructure
Enterprise-grade hosting with strict data isolation between organisations.
AWS Hosting
Praxiss runs on Amazon Web Services, benefiting from AWS's SOC 1, SOC 2, and SOC 3 certified data centres with professional physical security, surveillance, and intrusion detection.
Tenant Data Isolation
Each organisation gets its own dedicated database. A separate master database manages routing. Your data is never co-mingled with another organisation's - full isolation by design.
TLS Everywhere
All data in transit is encrypted with industry-standard TLS. Every connection to Praxiss is secured over HTTPS with no exceptions.
Nginx Security Headers & HSTS
All traffic passes through Nginx with hardened security headers including HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Strict transport security is enforced with long max-age and includeSubDomains.
Enterprise Authentication
Flexible, secure login options that meet enterprise identity requirements.
Single Sign-On (SSO)
Native support for Google Workspace, Microsoft Entra ID (Azure AD), and Okta. Users authenticate through their existing identity provider with no separate passwords to manage.
OIDC with PKCE
SSO is built on OpenID Connect with Proof Key for Code Exchange (PKCE) - the most secure OAuth 2.0 flow for public clients, preventing authorization code interception.
Enforced SSO-Only Login
Organisations can enforce SSO-only mode, disabling email/password login entirely. Ensures all authentication flows through your identity provider's policies, including MFA.
Just-in-Time Provisioning
New users are automatically created on their first SSO login - no manual onboarding needed. Users inherit the correct organisation and default role immediately.
Application Security
Defence in depth - multiple layers of protection from code to runtime.
AES-256-GCM Encryption
Sensitive data at rest is encrypted using AES-256-GCM, the same standard used by governments and financial institutions worldwide.
Strict Input Validation
Every API endpoint is validated with Zod schemas. Malformed or unexpected data is rejected before it reaches any business logic.
Security Headers & CSP
Helmet.js enforces strict security headers including Content Security Policy, preventing XSS, clickjacking, and other common web attacks.
Hardened JWT Authentication
Short-lived access tokens (1 hour) paired with refresh tokens (7 days) with full token rotation. JWT payloads are minimised, secrets are rotated, and token reuse is detected and blocked.
Rate Limiting & Abuse Prevention
All endpoints are rate-limited with per-endpoint tuning. Authentication endpoints have stricter limits. Repeated failed attempts trigger progressive delays to prevent brute force and credential stuffing.
Full Security Audit
The codebase has undergone a comprehensive security audit covering authentication flows, API endpoints, data handling, and infrastructure configuration. Findings have been resolved and hardening applied.
Access Control
Granular permissions that give you full control over who sees what.
Custom Roles & 16 Permission Flags
Create custom roles per organisation with fine-grained control across 16 permission flags - from viewing pulse results to managing SSO settings. Go beyond simple admin/user with roles that match your org structure.
Role-Based UI Rendering
The interface adapts based on the user's role. Users only see the features, data, and actions they have permission to access. No hidden admin panels, no accidental data exposure.
Organisation-Scoped Permissions
All permissions are scoped to the organisation level. A user's role in one organisation has no bearing on any other - even if they belong to multiple tenants.
Data Privacy
We collect the minimum data needed and keep you in control of the rest.
Minimal PII
Praxiss stores only name and email address. We don't collect home addresses, phone numbers, government IDs, or other sensitive personal information.
Bring Your Own Key (BYOK) AI
AI features use your organisation's own API key. Your review data is sent directly to your chosen AI provider under your terms - Praxiss never stores or accesses it.
Your Data Stays Yours
With BYOK, no customer feedback data passes through Praxiss servers for AI processing. You maintain full control and visibility over what leaves your environment.
Backup & Resilience
Designed for durability so your data is always recoverable.
Point-in-Time Recovery
Databases are configured with point-in-time recovery, allowing restoration to any moment within the retention window. Accidental deletions and data corruption are reversible.
Automated Backups
Backups run automatically on a regular schedule with no manual intervention required. Backup integrity is monitored continuously.
Responsible Disclosure
We value the security community's help in keeping Praxiss safe.
If you believe you've discovered a potential security vulnerability in Praxiss, we encourage you to disclose it to us responsibly. We appreciate the work of security researchers and are committed to reviewing every report.
Please email your findings to security@praxiss.io with a clear description of the issue and steps to reproduce. We ask that you allow us a reasonable timeframe to address the issue before any public disclosure.
We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days.
Have security questions? We're happy to discuss our practices in detail.
Contact Us