Security FAQ for Procurement Teams
This document answers the security and compliance questions asked most frequently by enterprise procurement and InfoSec teams during the vendor assessment process. For anything not covered here, contact security@noxys.eu.
Data Residency
Where are customer prompts and metadata stored?
All data processed and stored by Noxys is hosted exclusively within the European Union (EU-West regions) by default. No data is transferred to or stored in third-country infrastructure unless explicitly requested by the customer.
Can we pin our data to a specific region or country?
Yes. Enterprise tier customers may request per-region pinning (e.g., France, Germany, Netherlands) via a Data Processing Agreement addendum. Region pinning is enforced at the storage and inference layers. Contact enterprise@noxys.eu to enable this.
Encryption
How is data encrypted in transit?
All communications between the Noxys browser extension, the management console, and backend APIs use TLS 1.3. TLS 1.2 is accepted for legacy client compatibility but flagged in the admin audit log. Older protocol versions are rejected.
How is data encrypted at rest?
All persisted data (prompt logs, policy metadata, audit events) is encrypted at rest using AES-256-GCM with envelope encryption managed by a cloud KMS. Each tenant's data is encrypted under a separate data-encryption key (DEK) that is itself wrapped by a key-encryption key (KEK) in the KMS.
What is envelope encryption and which KMS is used?
Noxys uses a two-layer envelope encryption scheme: DEK (per-tenant, rotated quarterly) wrapped by a KEK in the cloud KMS. The architecture and rotation policy are defined in the internal KMS-1 ADR (available to Enterprise customers under NDA).
Can we bring our own encryption key (BYOK/CMK)?
Yes. Enterprise tier customers may supply a Customer-Managed Key (CMK) stored in their own cloud KMS (AWS KMS, Azure Key Vault, or GCP Cloud KMS). Noxys never has access to the plaintext CMK. Key revocation immediately renders encrypted data inaccessible. Contact your account manager to enable CMK.
Compliance Certifications
What certifications does Noxys hold?
| Standard | Status |
|---|---|
| SOC 2 Type I | In progress — target completion Q3 2026 |
| GDPR | Compliant — DPA available, see below |
| EU AI Act | Ready — Noxys is designed as a conformity-enabling layer |
| ISO 27001 | Roadmapped — target audit Q1 2027 |
| NIS2 | Architecture aligned; formal assessment planned |
Up-to-date certification status, audit reports, and evidence packages are available via the Trust Center (NDA required for SOC 2 reports).
Is Noxys GDPR-compliant?
Yes. Noxys acts as a Data Processor under GDPR Article 28 on behalf of its customers (the Data Controllers). A standard DPA is available pre-contract. Noxys maintains a Record of Processing Activities (RoPA) and a DPIA template is available on request.
Sub-Processors
Who are Noxys's sub-processors?
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and billing | USA (SCCs in place) |
| Managed PostgreSQL provider | Primary database hosting | EU (France / Germany) |
| Cloud infrastructure provider | Compute, object storage, KMS | EU-West |
| Transactional email provider | Alerts and notifications | EU |
The full, continuously updated sub-processor list — including legal entity names, DPA links, and transfer mechanisms — is maintained at noxys.eu/trust-center/subprocessors. Customers are notified at least 30 days in advance of any new or replacement sub-processor.
Authentication & Access Control
What authentication methods are supported?
- SSO via OIDC: Google Workspace, Microsoft Entra ID (Azure AD), and any generic OIDC provider.
- SAML 2.0: Supported for Enterprise tier customers.
- SCIM 2.0: Provisioning and de-provisioning — in progress, target Q3 2026.
- Local accounts: Available for non-SSO environments; MFA required.
See SSO Configuration and Microsoft Entra ID for setup guides.
What access-control model does Noxys use?
Noxys implements Role-Based Access Control (RBAC) with four built-in roles: Owner, Admin, Analyst, and Read-Only. Custom roles are available on Enterprise tier. Every action is logged in the immutable audit trail.
Can we enforce MFA for all users?
Yes. MFA can be enforced per-tenant from the admin console. Supported second factors: TOTP apps (Authy, Google Authenticator) and WebAuthn/FIDO2 hardware keys.
Data Retention
How long is data retained?
The default retention period for interaction logs (prompt metadata, policy decision records) is 90 days. Customers may configure shorter retention periods down to 7 days from the admin console. Audit logs are retained for 1 year and cannot be shortened below the compliance minimum.
Can we request early deletion of our data?
Yes. A hard-delete request can be submitted via the console (Tenant Settings → Data Management) or by emailing privacy@noxys.eu. Deletion is executed within 72 hours and confirmed in writing. Backup purge completes within 30 days.
Data Processing Agreement (DPA)
Is a DPA available?
Yes. A standard Noxys DPA (aligned to GDPR Article 28 and EU SCCs for sub-processors) is available pre-contract without charge.
Where can we get the DPA template?
Download the current DPA template from the Trust Center. Enterprise customers requiring custom DPA terms should contact legal@noxys.eu.
Incident Response
What is the notification SLA for security incidents?
Noxys commits to notifying affected customers within 24 hours of confirming a security incident that may impact their data. This notification includes a preliminary impact assessment.
What happens after an incident?
A full post-mortem — including root cause, timeline, remediation actions, and preventive measures — is delivered to affected customers within 7 business days. All incidents affecting personal data are reported to the relevant supervisory authority (CNIL for France) within the GDPR 72-hour window.
Penetration Testing
Does Noxys conduct penetration testing?
Yes. An independent third-party penetration test is conducted annually targeting the management console, API layer, browser extension, and infrastructure. The most recent pentest executive summary is available to Enterprise prospects under NDA.
Can we conduct our own penetration test?
Customers may perform black-box testing against their own tenant with 5 business days' prior notice. Contact security@noxys.eu to coordinate scope and timing. Destructive testing and load testing require written approval.
Customer Audit Rights
Can we audit Noxys's security controls?
Enterprise tier customers have the right to:
- Audit log export: Full tenant audit trail exportable in SIEM-compatible formats (CEF, JSON, Splunk HEC).
- On-site audit support: Noxys will make relevant personnel and documentation available for on-site or remote security audits with 10 business days' notice.
- Questionnaire completion: Noxys will complete standard security questionnaires (SIG, CAIQ, bespoke) within 10 business days.
- Evidence packages: SOC 2 reports, pentest summaries, and DPIAs provided on request (NDA required).
Still have questions?
| Contact | Purpose |
|---|---|
| security@noxys.eu | Security assessments, pentest coordination, vulnerability disclosure |
| privacy@noxys.eu | GDPR requests, data deletion, DPA questions |
| legal@noxys.eu | Custom DPA terms, contractual questions |
| enterprise@noxys.eu | Enterprise tier, CMK, region pinning |
Trust Center: noxys.eu/trust-center