Soxify

Security

Soxify is designed to protect sensitive audit evidence through layered controls, traceability, and access boundaries.

TermsPrivacySecurity

Last updated: February 8, 2026

1. Security Approach

Soxify uses a defense-in-depth model with controls across identity, network, application, and data layers. Security controls are continuously reviewed as product capabilities evolve.

2. Tenant Isolation and Access Boundaries

Workspace scoping is enforced throughout the data model and APIs.

  • Role-based access control for owners, admins, preparers, and reviewers.
  • Workspace-level isolation checks for controls, workflows, and evidence.
  • Archived data and audit events retained for traceability.

3. Authentication and Session Security

Authenticated app access is managed through identity provider integration. Public evidence submission uses scoped, expiring magic-link tokens with revocation support.

4. Evidence Integrity and Auditability

  • Evidence files are hashed for integrity verification.
  • Audit events capture who did what and when.
  • Signoff chains and timestamps are preserved in exports.

5. Network and Data Protection

Data in transit is protected with TLS. Storage, infrastructure, and backups are handled through managed cloud services and provider security controls.

Access to infrastructure and secrets is restricted to authorized personnel and systems.

6. Public Upload Endpoint Protections

  • Rate limiting and request validation for public endpoints.
  • Token expiry windows and configurable submission limits.
  • File size and MIME-type validation before processing.
  • Public upload activity logged for audit and investigation.

7. Monitoring and Incident Response

Operational and security logs are monitored for abnormal behavior. Security incidents are triaged, contained, and remediated through documented response workflows, with customer communication where appropriate.

8. Vulnerability Management

Dependencies and infrastructure are updated routinely. Identified vulnerabilities are prioritized by severity and remediated according to risk.

9. Shared Responsibility

Customers also play an important role in secure operation.

  • Use strong authentication and review role assignments regularly.
  • Restrict access to sensitive evidence exports.
  • Rotate credentials and remove inactive users promptly.
  • Report suspicious activity immediately.

10. Security Contact

To report a security issue, email security@soxify.com with details and reproduction steps if available.