Security · current posture
What we actually do.
A short page about what we have in place today, what we are working on, and what we do not yet promise. Need the questionnaire? Email founders@simulix.com — we turn it around within five business days.
Posture, line by line.
Every entry below maps to a concrete control in the codebase or a documented vendor contract. Nothing is aspirational on this table — items still being worked on are labelled In progress.
| Control | Detail | Status |
|---|---|---|
| Encryption in transit | TLS 1.3 on every public endpoint. HTTPS-only validators on every customer-supplied URL (webhooks, callbacks). | Live |
| Encryption at rest | Database storage encrypted at the disk layer (Neon Postgres, AWS-managed KMS). | Live |
| API key storage | Customer API keys are stored as SHA-256 hashes — the raw key is shown exactly once at creation time and never re-displayed. | Live |
| Webhook signatures | HMAC-SHA256 over the request body, signed with a per-org secret. Receivers reject signatures older than 5 minutes. | Live |
| Per-key + per-IP rate limiting | Closed-by-default. Per-org plan-tier ceilings; per-IP buckets on the unauthenticated public surface. | Live |
| Two-tier physical isolation | Sandbox and production live in separate Neon Postgres projects. A Postgres event trigger blocks cross-tier writes. | Live |
| Audit log | Every decision the workflow engine makes is recorded in engine_decisions with the correlation_id of the originating request. | Live |
| SOC 2 Type I letter | Auditor engagement complete; report expected this quarter. | In progress |
| SOC 2 Type II | Observation window opens after Type I; full report ~12 months out. | In progress |
| Data Processing Agreement (DPA) | Standard DPA template available; signed at contract for Studio + Enterprise. | On request |
| EU data residency | Available on contract — production data plane can be pinned to an EU region for Enterprise. | On request |
Sub-processors, in full.
We publish the complete list. When a vendor is added we update this page and notify Studio + Enterprise contacts via email.
| Vendor | What we use it for | What data it sees |
|---|---|---|
| Cloudflare | Workers AI (LLM inference), Pages (frontend), R2 (object store), Workers (edge). | Prompts and responses transit Workers AI. No prompts are retained for training. |
| Neon | Managed Postgres — separate projects for prod and sandbox tiers. | All structured customer data: orgs, keys, runs, results, audit log. |
| Upstash | Managed Redis — sandbox cache and rate-limit state. | Rate-limit counters and short-lived idempotency keys. |
| Railway | Compute for the API and worker processes. | Process-level only; no persistence. |
| Stripe | Billing — checkout sessions, subscriptions, invoices. | Customer email, billing address, payment method (Stripe-hosted; we never see card numbers). |
| Resend | Transactional email — magic links, billing notifications, tier-overage warnings. | Customer email + the message body we send. |
Reporting a vulnerability
Coordinated disclosure, no bounty theatre.
Email security@simulix.com with the affected endpoint, a reproduction, and the impact you observed. We acknowledge within one business day and aim to ship a fix within 14 days for high-severity issues. We do not run a public bug-bounty program at launch — we will pay for responsibly-disclosed reports on a case-by-case basis.
How we work
Methodology
Census-grounded population. K=3 confirm gate. 90% accuracy floor. Published in the clear.
Today
System status
Live health probe with the same correlation_id surface our on-call uses. No marketing dashboard.