Security and Compliance

The infrastructure protecting
your business data

RAXAR does not improvise security. We apply the same standards as banks and top-tier consulting firms from day one, even before having external clients. Our own internal data lives under the same controls yours will.

Living document · last review: S239 · 2026-04-23

Mathematical multi-tenant isolation

Row-Level Security in PostgreSQL on every table with client data. Isolation is mathematical at the database level, not at the application layer.

Encryption at rest and in transit

PostgreSQL with native encryption. Semantic search on encrypted vector store. TLS 1.3 on every HTTPS endpoint. HSTS with max-age 1 year + preload.

Robust authentication

2FA mandatory for administrative roles. Account lockout after 5 failed attempts. Shannon-entropy password policy. Bcrypt 12 rounds.

Security headers

Strict CSP · X-Frame-Options DENY · X-Content-Type-Options nosniff · Referrer-Policy strict-origin-when-cross-origin · Restrictive Permissions-Policy.

Monitoring and incident response

Self-hosted error tracking (Glitchtip). Independent external uptime monitoring. Tested DR runbook with measured RTO · daily offsite backups with tested restore.

GDPR compliance

Signable DPA available on request. Right-to-erasure endpoint. PII redacted before sending to third-party LLMs. Analytics servers (PostHog) in EU.

Compliance roadmap

We are transparent: we don't yet hold formal external certifications. We planned them based on real commercial traction, not as empty marketing.

GDPR ready

DPA template + export + erasure endpoints

✓ Active

SOC 2 Type I

Audit planned post client traction

Q4 2026

ISO 27001

Information security management system

Q2 2027

External pen-test

Annual audit with specialized firm

Q1 2027

Vulnerability report

If you've detected a vulnerability, unusual behavior, or any security issue in our systems, we want to hear from you. We respond within 72 hours.

Contact: security@raxar.es

Acknowledgments: /en/seguridad#hall-of-fame

Preferred-Languages: es, en, pt

Policy: /.well-known/security.txt

We will not legally pursue security researchers acting in good faith within a reasonable scope (no data exfiltration · no service disruption · private notification before public disclosure).

Hall of Fame

Public acknowledgment to researchers who have reported responsible vulnerabilities. Currently blank · we are in internal dogfooding phase and we're proud of that empty space because it means we haven't needed to fill it yet.

Enterprise client with advanced requirements?

If you need a custom DPA, deployment in your cloud environment, isolated infrastructure audit, SSO integration with your corporate IdP, or specific SLA, we can design a tailored enterprise setup.

Talk to our security team →

RAXARDel Caos al Éxito

Cargando ecosistema

The infrastructure protecting
your business data

Living document · last review: S239 · 2026-04-23

Mathematical multi-tenant isolation

Row-Level Security in PostgreSQL on every table with client data. Isolation is mathematical at the database level, not at the application layer.

Encryption at rest and in transit

PostgreSQL with native encryption. Semantic search on encrypted vector store. TLS 1.3 on every HTTPS endpoint. HSTS with max-age 1 year + preload.

Robust authentication

2FA mandatory for administrative roles. Account lockout after 5 failed attempts. Shannon-entropy password policy. Bcrypt 12 rounds.

Security headers

Strict CSP · X-Frame-Options DENY · X-Content-Type-Options nosniff · Referrer-Policy strict-origin-when-cross-origin · Restrictive Permissions-Policy.

Monitoring and incident response

Self-hosted error tracking (Glitchtip). Independent external uptime monitoring. Tested DR runbook with measured RTO · daily offsite backups with tested restore.

GDPR compliance

Signable DPA available on request. Right-to-erasure endpoint. PII redacted before sending to third-party LLMs. Analytics servers (PostHog) in EU.

Compliance roadmap

We are transparent: we don't yet hold formal external certifications. We planned them based on real commercial traction, not as empty marketing.

GDPR ready

DPA template + export + erasure endpoints

✓ Active

SOC 2 Type I

Audit planned post client traction

Q4 2026

ISO 27001

Information security management system

Q2 2027

External pen-test

Annual audit with specialized firm

Q1 2027

Vulnerability report

If you've detected a vulnerability, unusual behavior, or any security issue in our systems, we want to hear from you. We respond within 72 hours.

Contact: security@raxar.es

Acknowledgments: /en/seguridad#hall-of-fame

Preferred-Languages: es, en, pt

Policy: /.well-known/security.txt

We will not legally pursue security researchers acting in good faith within a reasonable scope (no data exfiltration · no service disruption · private notification before public disclosure).

Hall of Fame

Enterprise client with advanced requirements?

If you need a custom DPA, deployment in your cloud environment, isolated infrastructure audit, SSO integration with your corporate IdP, or specific SLA, we can design a tailored enterprise setup.

Talk to our security team →

The infrastructure protectingyour business data

Mathematical multi-tenant isolation

Encryption at rest and in transit

Robust authentication

Security headers

Monitoring and incident response

GDPR compliance

Compliance roadmap

Vulnerability report

Hall of Fame

Enterprise client with advanced requirements?

The infrastructure protectingyour business data

Mathematical multi-tenant isolation

Encryption at rest and in transit

Robust authentication

Security headers

Monitoring and incident response

GDPR compliance

Compliance roadmap

Vulnerability report

Hall of Fame

Enterprise client with advanced requirements?

The infrastructure protecting
your business data

The infrastructure protecting
your business data