Simulix

Security · current posture

What we actually do.

A short page about what we have in place today, what we are working on, and what we do not yet promise. Need the questionnaire? Email founders@simulix.com — we turn it around within five business days.

Posture, line by line.

Every entry below maps to a concrete control in the codebase or a documented vendor contract. Nothing is aspirational on this table — items still being worked on are labelled In progress.

ControlDetailStatus
Encryption in transitTLS 1.3 on every public endpoint. HTTPS-only validators on every customer-supplied URL (webhooks, callbacks).Live
Encryption at restDatabase storage encrypted at the disk layer (Neon Postgres, AWS-managed KMS).Live
API key storageCustomer API keys are stored as SHA-256 hashes — the raw key is shown exactly once at creation time and never re-displayed.Live
Webhook signaturesHMAC-SHA256 over the request body, signed with a per-org secret. Receivers reject signatures older than 5 minutes.Live
Per-key + per-IP rate limitingClosed-by-default. Per-org plan-tier ceilings; per-IP buckets on the unauthenticated public surface.Live
Two-tier physical isolationSandbox and production live in separate Neon Postgres projects. A Postgres event trigger blocks cross-tier writes.Live
Audit logEvery decision the workflow engine makes is recorded in engine_decisions with the correlation_id of the originating request.Live
SOC 2 Type I letterAuditor engagement complete; report expected this quarter.In progress
SOC 2 Type IIObservation window opens after Type I; full report ~12 months out.In progress
Data Processing Agreement (DPA)Standard DPA template available; signed at contract for Studio + Enterprise.On request
EU data residencyAvailable on contract — production data plane can be pinned to an EU region for Enterprise.On request

Sub-processors, in full.

We publish the complete list. When a vendor is added we update this page and notify Studio + Enterprise contacts via email.

VendorWhat we use it forWhat data it sees
CloudflareWorkers AI (LLM inference), Pages (frontend), R2 (object store), Workers (edge).Prompts and responses transit Workers AI. No prompts are retained for training.
NeonManaged Postgres — separate projects for prod and sandbox tiers.All structured customer data: orgs, keys, runs, results, audit log.
UpstashManaged Redis — sandbox cache and rate-limit state.Rate-limit counters and short-lived idempotency keys.
RailwayCompute for the API and worker processes.Process-level only; no persistence.
StripeBilling — checkout sessions, subscriptions, invoices.Customer email, billing address, payment method (Stripe-hosted; we never see card numbers).
ResendTransactional email — magic links, billing notifications, tier-overage warnings.Customer email + the message body we send.

Reporting a vulnerability

Coordinated disclosure, no bounty theatre.

Email security@simulix.com with the affected endpoint, a reproduction, and the impact you observed. We acknowledge within one business day and aim to ship a fix within 14 days for high-severity issues. We do not run a public bug-bounty program at launch — we will pay for responsibly-disclosed reports on a case-by-case basis.

How we work

Methodology

Census-grounded population. K=3 confirm gate. 90% accuracy floor. Published in the clear.

Today

System status

Live health probe with the same correlation_id surface our on-call uses. No marketing dashboard.