Security FAQ

Security Questions

Honest answers to the questions that enterprise security teams, procurement reviewers, and technical evaluators ask most often. We do not dress up gaps as strengths.

Do you have SOC 2?

Not Yet

No. AegisWire does not have SOC 2 Type I or Type II certification. We have not engaged an auditor for this purpose.

Our engineering controls are designed with SOC 2 trust service criteria in mind: logical access controls, change management, system monitoring, encryption, and incident response. We believe these foundations will support a SOC 2 engagement when the time is right.

SOC 2 certification is on our formal assurance roadmap. We will pursue it as the company scales and customer demand warrants the investment.

Are you ISO 27001 certified?

Not Yet

No. We are not ISO 27001 certified. We have not established a formal ISMS under ISO 27001.

Information security management practices are documented and followed: access control policies, secure development lifecycle, incident response procedures, and asset management. These are not certified by a third party.

Formal certification is planned as the company matures. We are transparent that documented discipline is not the same as externally audited certification.

Are you HIPAA compliant?

No

We do not claim HIPAA compliance or certification. There is no formal HIPAA certification standard, but we have not undergone a HIPAA security risk assessment or executed Business Associate Agreements.

AegisWire’s architecture — encryption at rest and in transit, tenant isolation, audit logging, and access controls — provides technical foundations that could support HIPAA-regulated environments. However, we do not claim this without the organisational and procedural controls to back it up.

How do you test security?

Active

Security testing is internal and founder-led. The founding team has cryptographic engineering background and performs adversarial testing against the platform continuously.

Static analysis — gosec and staticcheck run in CI on every commit. Build fails on findings.
Dependency scanning — Automated monitoring of known vulnerabilities in the dependency tree.
Internal adversarial testing — Founder-led security testing against authentication, authorisation, API boundaries, and transport protocol.
Type-safe languages — Go and Rust with strict compiler settings eliminate classes of memory safety and type confusion vulnerabilities.

No external penetration test has been conducted. This is on our roadmap.

What data do you store?

Documented
Subscription and billing data — Organisation details, plan tier, payment metadata.
Metering events — Connection counts, data transfer volumes, device enrollments. Used for billing and capacity.
Audit logs — Security-relevant operations: authentication events, policy changes, administrative actions.
Device enrollment records — Device identity, trust anchor bindings, enrollment status.
Policy configurations — Network policies, access rules, gateway assignments.

We do not store, inspect, or log tunnel traffic content. AegisWire sees routing metadata only.

Can you offer self-hosted deployment?

Yes

AegisWire supports three deployment models, all running the same security architecture:

Managed cloud — We manage infrastructure, updates, and operations. Per-tenant isolation with dedicated control plane.
Self-hosted — Deploy on your own cloud or on-premise infrastructure. Full data residency control.
Hardware appliance — Pre-configured hardware with local PostgreSQL and hardware-bound licensing. Suitable for edge and sovereign deployments.

Do you support customer security reviews?

Yes

Yes. We welcome security reviews as part of procurement evaluation. We can provide:

  • Architecture documentation and security design overview
  • Completed security questionnaires (CAIQ, SIG, or your format)
  • Data processing addendum and privacy documentation
  • Direct technical discussion with the engineering team

Contact security@aegiswire.com to begin a review.

How do you handle vulnerabilities?

Policy Published

We maintain a published Vulnerability Disclosure Policy with safe harbour provisions for good-faith security researchers.

48-hour acknowledgement on all reports to security@aegiswire.com
5 business day triage with severity assessment and initial response
Safe harbour for researchers who follow the disclosure policy
Ongoing communication with the reporter throughout remediation

Trust Center

Our security architecture and assurance status

Vulnerability Disclosure

Report security issues responsibly