Security

Data at rest:

• All Customer Data is encrypted at rest using AES-256-GCM
• Database volumes are encrypted using AWS EBS encryption with KMS-managed keys
• Sensitive fields (OAuth tokens, API keys, webhook secrets) use envelope encryption with AWS KMS — each tenant's secrets are encrypted with a unique Customer Master Key (CMK)
• S3 storage (backups, exports) uses server-side encryption with AWS S3 SSE-KMS

Data in transit:

• All connections between clients and the ExecCortex platform use TLS 1.3
• TLS 1.0 and 1.1 are disabled on all endpoints
• We enforce HSTS (HTTP Strict Transport Security) with a 1-year max-age on all web properties
• Internal service-to-service communication uses mutual TLS (mTLS) within our VPC

Customer account access:

• Password authentication requires a minimum of 12 characters
• Two-factor authentication (TOTP and hardware key) is available on all paid plans
• Role-based access control (RBAC): Owner, Admin, Analyst, and Read-only roles with granular permissions
• SSO via SAML 2.0 is available on Enterprise plans
• Session tokens expire after 24 hours of inactivity
• All login events and permission changes are logged in the audit trail

Internal access by ExecCortex staff:

• All engineering and operations staff use hardware security keys (FIDO2/WebAuthn) for privileged access
• Production environment access is gated by a Privileged Access Management (PAM) system with session recording
• No ExecCortex employee can access Customer Data without a documented, time-limited justification
• All privileged access events are logged, reviewed weekly, and audited quarterly
• Background checks are conducted on all employees with production access

• All production infrastructure runs in AWS Virtual Private Clouds (VPCs) with private subnets for databases and internal services
• Web Application Firewall (WAF) — AWS WAF + Cloudflare — protects all public endpoints from OWASP Top 10 threats
• DDoS protection via Cloudflare with automatic traffic scrubbing at the edge
• Network access control lists (NACLs) and security groups enforce least-privilege ingress/egress rules
• All outbound traffic from production systems is routed through a monitored egress proxy
• Intrusion Detection System (IDS) monitors network traffic for anomalous patterns
• All infrastructure changes are made via Infrastructure-as-Code (Terraform); manual console changes are blocked in production

• All code undergoes peer review before merging to production
• Static Application Security Testing (SAST) is run on every pull request using Semgrep
• Software Composition Analysis (SCA) identifies vulnerable dependencies on every build
• Dynamic Application Security Testing (DAST) is performed monthly on staging environments
• SQL injection is prevented by parameterized queries via Prisma ORM — raw SQL is prohibited
• All user input is validated and sanitized server-side before processing
• Output encoding is applied to prevent XSS across all rendering contexts
• Content Security Policy (CSP) headers are enforced on all web pages
• Secrets are never committed to version control — scanning is enforced at the git hook and CI level
• Dependencies are automatically updated weekly via Dependabot with required security reviews

ExecCortex is a multi-tenant platform. Tenant isolation is enforced at every layer:

• All database queries are scoped to the authenticated tenant's ID at the application layer
• Tenant IDs are validated on every API request — no cross-tenant data access is architecturally possible
• AI inference requests include only the requesting tenant's data — no cross-tenant context bleeding
• Export and webhook payloads are validated to prevent data exfiltration to wrong endpoints
• Penetration testing specifically targets tenant isolation each year

• Database backups: Automated daily snapshots with 30-day retention. Point-in-time recovery available for the last 7 days
• Multi-AZ deployment: All production services run across multiple AWS Availability Zones for high availability
• Recovery Time Objective (RTO): < 4 hours for a full regional outage
• Recovery Point Objective (RPO): < 1 hour (last backup restoration point)
• Disaster recovery runbooks are tested quarterly
• Status updates during incidents are published in real time at status.execcortex.com

Before onboarding any sub-processor or vendor with access to Customer Data, we conduct security due diligence including review of their SOC 2 reports or equivalent, penetration testing results, and data processing agreements.

Key vendor security postures:

• AWS: SOC 2 Type II, ISO 27001, PCI DSS Level 1
• Cloudflare: SOC 2 Type II, ISO 27001
• Stripe: SOC 2 Type II, PCI DSS Level 1
• OpenAI: SOC 2 Type II, zero-day data retention on API (no training on customer data)
• Anthropic: SOC 2 Type II, API data is not used to train Claude models

ExecCortex maintains a documented Incident Response Plan aligned with NIST SP 800-61. Key elements:

• Detection: Automated alerts from CloudWatch, Datadog, and Sentry trigger on-call pages 24/7
• Triage: All security alerts are triaged within 15 minutes by the on-call engineer
• Containment: Compromised systems are isolated within minutes using automated runbooks
• Eradication: Root cause analysis and remediation within 24 hours for critical incidents
• Recovery: Verified clean restoration from backup or rollback
• Post-incident review: Published internally within 5 business days; customer-facing incident reports for significant events
• Customer notification: Affected customers are notified within 72 hours of confirmed incidents involving their data

• GDPR: Compliant — DPA, SCCs, EU data residency option available
• SOC 2 Type II: Audit in progress — report expected Q4 2026. SOC 2 Type I report available on request under NDA
• PCI DSS: ExecCortex does not store, process, or transmit card data directly. All payment processing is handled by Stripe (PCI DSS Level 1)
• CCPA/CPRA: Compliant — privacy rights controls available in-platform
• ISO 27001: In planning — certification target 2027
• Penetration testing: Annual external pentest by an CREST-accredited firm; reports available under NDA for Enterprise customers

ExecCortex operates a responsible disclosure program. If you discover a security vulnerability in our platform, we ask that you:

• Report it to security@execcortex.com as soon as possible
• Include a description of the vulnerability, steps to reproduce, and potential impact
• Give us reasonable time to investigate and remediate before any public disclosure
• Not exploit the vulnerability beyond what is necessary to confirm it exists
• Not access, modify, or exfiltrate data belonging to other customers

We commit to:

• Acknowledge your report within 24 hours
• Provide an initial triage response within 5 business days
• Notify you when the vulnerability has been remediated
• Recognize your contribution publicly (with your permission) in our security hall of fame
• Consider bug bounty rewards for critical and high-severity findings (up to $1,000 for critical vulnerabilities)

Safe harbor: ExecCortex will not pursue legal action against researchers who follow these guidelines in good faith.

• Security awareness training is required for all employees on hire and annually
• Phishing simulation exercises are conducted quarterly
• All employee devices are enrolled in MDM with full-disk encryption and remote-wipe capability
• Off-boarding includes immediate access revocation across all systems within 1 hour
• Background screening is conducted for all employees and contractors with access to production systems

Security concerns and vulnerability reports: security@execcortex.com

For urgent security incidents involving your account, contact us at security@execcortex.com with 'URGENT' in the subject line. We monitor this inbox 24/7.

For compliance documentation requests (SOC 2 report, DPA, penetration test summary): support@execcortex.com