Secret management
- All customer API keys (CEX) stored in HashiCorp Vault Transit.
- All keys encrypted at rest (Vault-managed).
- Per-customer encryption keys; never cross-customer accessible.
- LLM keys (OpenRouter BYOK) stored the same way.
Concentric defense
Layered perimeters, outermost to innermost.
Each request crosses every layer before it can reach a secret. The non-custodial design sits beneath all of them as the final bound.
- 01Cloudflare / DDoS
- 02TLS 1.3
- 03VPC isolation
- 04Service mesh
- 05Per-service access
- 06Vault Transit
Operational controls
Five control domains.
Access control
- Customer accounts: multi-factor auth (TOTP) mandatory.
- Internal access: SSO with hardware-key enforcement (Yubikey / similar).
- Least-privilege principle: production access scoped to specific roles.
- Audit log on all access events.
Infrastructure
- AWS us-east-2 + eu-west-1 (multi-region Phase 2).
- VPC isolation; no public Internet access to internal services.
- TLS 1.3 minimum on all external endpoints.
- DDoS protection (Cloudflare).
Incident response
- 24/7 alerting on production anomalies.
- Under 2-hour business escalation; under 8-hour weekend / holiday.
- Customer notification per incident-severity matrix (Critical = within 24h).
- Post-incident report published per Calibration Report cadence.
Code integrity
- All production code signed.
- CI/CD pipeline with automated tests + property tests for risk-critical modules.
- Code review required for all production changes.
- Dependency vulnerability scanning (Dependabot).
Detailed architecture
Want the full security architecture?
For detailed security architecture, contact security@staxis.ai — shared with enterprise customers and serious prospects under NDA.