Security Practices

Last Updated: February 2026

Overview

At Coax, security is fundamental to our mission of helping organizations manage their SaaS applications. This document describes the technical and organizational security measures we implement to protect your data.

Security Principles

Our security approach is built on:

Defense in Depth: Multiple layers of security controls
Principle of Least Privilege: Access limited to what's necessary
Privacy by Design: Data minimization at every step
Transparency: Clear communication about our practices

Data Encryption

Encryption at Rest

Data Type	Encryption Method
OAuth Tokens	AES-256-CBC with unique per-record keys
Session Data	AES-256-CBC encryption
Database	Google Cloud SQL encryption (AES-256)
File Storage	Google Cloud Storage default encryption (AES-256)
Backups	Encrypted with Google-managed keys

Key Management:

Encryption keys stored separately from encrypted data
Keys managed via Google Cloud Secret Manager
Regular key rotation procedures

Encryption in Transit

Connection	Protocol
User to Application	TLS 1.3 (HTTPS enforced)
Application to Database	TLS encrypted connection
Application to APIs	TLS 1.2+ for all external APIs
Internal Services	TLS encrypted service mesh

Certificate Management:

Certificates automatically managed and renewed
HSTS headers enforced
Modern cipher suites only

Authentication & Access Control

User Authentication

OAuth 2.0: Authentication via Microsoft Entra ID (formerly Azure AD)
No Password Storage: We never store user passwords
Token Security: Access tokens encrypted at rest, short-lived (24 hours)
Session Management: Secure HttpOnly cookies, automatic expiration

Authorization

Control	Implementation
Role-Based Access Control	Defined user roles with specific permissions
Organization Isolation	Multi-tenant data separation at database level
API Authentication	JWT tokens with organization context
Admin Access	Elevated permissions for organization administrators

Internal Access Control

Employee Access: Strictly limited to operational necessity
Production Access: Requires approval and is logged
Vendor Access: No direct access to customer data
Audit Logging: All administrative actions logged

Infrastructure Security

Cloud Platform

We host our infrastructure on Google Cloud Platform (GCP), leveraging their enterprise security:

Component	GCP Service	Security Features
Application	Cloud Run	Container isolation, automatic patching
Database	Cloud SQL (PostgreSQL)	Private networking, encryption, backups
File Storage	Cloud Storage	IAM access control, encryption
Secrets	Secret Manager	Encrypted storage, audit logging
Scheduling	Cloud Scheduler	IAM authentication

Data Location: Primary infrastructure in europe-west1 (Belgium, EU)

Network Security

Virtual Private Cloud: Application components in private network
Firewall Rules: Ingress restricted to necessary ports only
DDoS Protection: Google Cloud Armor protection
No Public IPs: Backend services not directly internet-accessible

Container Security

Managed Runtime: Cloud Run managed environment
Automatic Updates: Security patches applied by Google
Minimal Images: Reduced attack surface
Resource Isolation: Container-level isolation

Application Security

Secure Development

Practice	Description
Code Review	All changes require peer review
Dependency Scanning	Automated vulnerability scanning
Static Analysis	Linting and type checking enforced
Testing	Automated test suite before deployment

Input Validation

Zod Schemas: All API inputs validated with strict schemas
SQL Injection Prevention: Parameterized queries via Prisma ORM
XSS Prevention: React's built-in escaping, Content Security Policy
CSRF Protection: Token-based protection on state-changing operations

API Security

Rate Limiting: Protection against abuse
Input Size Limits: Maximum payload sizes enforced
Error Handling: Generic error messages to users (details logged internally)
CORS: Restricted to authorized origins

Data Protection

Data Minimization

We collect only the data necessary to provide our service:

Data Category	What We Collect	What We DON'T Collect
Email	Metadata (subject, sender, date)	Email body content
Directory	Business contact info	Personal addresses, SSNs
Activity	Sign-in events	Detailed browsing history
Invoices	Billing amounts, dates	Full invoice imagery stored

Data Retention

Data Type	Retention Period
Account Data	Duration of account + 30 days
Organization Data	Duration of subscription + 30 days
Analytics	12 months
Logs	30 days

Data Deletion

User Request: Data deleted within 30 days of verified request
Account Termination: Data deleted within 30 days after export period
Secure Deletion: Data securely wiped, not just marked deleted

Monitoring & Incident Response

Security Monitoring

Capability	Implementation
Logging	Centralized logging of all system events
Alerting	Real-time alerts for suspicious activity
Error Tracking	Automated error detection and notification
Uptime Monitoring	Service availability monitoring

Incident Response

Response Process:

Detection: Automated monitoring or reported incident
Triage: Assess severity and scope
Containment: Isolate affected systems
Investigation: Determine root cause
Remediation: Fix vulnerability and restore service
Notification: Notify affected parties per DPA requirements
Post-Mortem: Document lessons learned

Notification Timeline:

Customer notification: Within 48 hours of confirmed breach
Regulatory notification: As required by GDPR (72 hours)

Contact for Security Incidents

Email: security@coaxsecurity.com

Include:

Description of the incident
Time of discovery
Systems or data involved
Your contact information

Compliance

Current Compliance

Standard	Status
GDPR	Compliant
Danish Data Protection Act	Compliant
Microsoft Graph API Policies	Compliant

Compliance Roadmap

Certification	Status	Timeline
SOC 2 Type II	Planned	2026-2027
ISO 27001	Planned	Future

We are actively working toward formal security certifications. Contact us for current security assessment reports or to complete vendor security questionnaires.

Vendor Security

Subprocessor Assessment

All third-party vendors undergo security review:

Security practices evaluation
Privacy policy review
DPA requirements verification
Compliance certification check (SOC 2, ISO 27001)

Current Subprocessors

See our Subprocessor List for details on each vendor's security posture.

Responsible Disclosure

We appreciate the security research community's efforts to improve security. If you discover a security vulnerability:

How to Report

Email: security@coaxsecurity.com

Include:

Description of the vulnerability
Steps to reproduce
Potential impact
Your contact information (optional for anonymous reports)

Our Commitment

Acknowledgment: We'll acknowledge receipt within 48 hours
Investigation: We'll investigate and provide updates
No Retaliation: We won't pursue legal action against good-faith researchers
Recognition: With your permission, we'll credit you in our changelog

Scope

In Scope:

coaxsecurity.com and subdomains
Coax application and API
Authentication flows

Out of Scope:

Third-party services (report directly to them)
Social engineering attacks
Physical security
Denial of service testing

Security FAQs

Do you store my Microsoft 365 password?

No. We use OAuth 2.0, so you authenticate directly with Microsoft. We receive an access token, never your password.

Do you read my emails?

We search email metadata (subject, sender, date) from known SaaS vendors only. We do NOT read or store email body content. Emails are processed in-memory for billing detection and immediately discarded.

Where is my data stored?

Primary data is stored in Google Cloud Platform's Belgium (europe-west1) region within the EU.

Who at Coax can access my data?

Only authorized personnel with a legitimate operational need can access production systems. All access is logged and audited.

What happens if Coax is acquired?

Your data will be handled according to the Terms of Service and Data Processing Agreement. You would be notified of any ownership change.

Contact

For security questions or concerns:

Security Team: security@coaxsecurity.com

Privacy Team: privacy@coaxsecurity.com

General Legal: legal@coaxsecurity.com

This Security Practices document is also available at: https://coaxsecurity.com/legal/security