Security

Enterprise grade security for regulated environments.

SOC 2 Type II certified. Flexible deployment options (cloud-hosted, private VPC, or fully on-premises). Your data stays in your control.

01 / THE FOUNDATIONS

What you need to know.

Oxus is built on the same standards audit teams apply to the systems they review: traceable, access-controlled, and defensible at every step.

i.

SOC 2 Type II

Final report and supporting documentation available at trust.oxus-ai.com.

ii.

US-only data residency

Customer data is stored exclusively in the United States. No cross-border data transfer.

iii.

Dedicated tenant isolation

Each customer is provisioned a dedicated database and dedicated object storage bucket. No shared data stores between tenants.

iv.

No AI training on your data

Customer data is never used to train or improve AI models.

02 / DEPLOYMENT & DATA STORAGE

Flexible enough for your environment.

Not every organization can put audit data in the cloud. Oxus supports cloud-hosted, private VPC, and fully on-premises deployments, with equivalent data storage options.

Deployment options

Oxus-Hosted

Dedicated, logically isolated environment fully managed by Oxus. Fastest to deploy, lowest operational overhead.

Private Cloud / VPC

Deploy into your approved private cloud or VPC with tighter network controls, security tooling alignment, and restricted egress.

Customer-Hosted / On-Prem

Oxus runs entirely within your controlled environment. Application services, data, and AI processing stay inside your network boundary.

Data storage options

Oxus-Managed

Raw evidence files and platform metadata stored in a customer-isolated Oxus environment.

Hybrid

Raw evidence files in your storage; Oxus manages platform metadata and workflow state.

Customer-Managed

Both raw files and platform metadata stored in customer-controlled storage where required.

03 / ACCESS & INFRASTRUCTURE

Controls you can audit.

Audit teams hold their vendors to the same standard they apply to their own systems. Oxus is built to meet that bar.

i.

SSO

Customers can connect their identity provider via SSO. MFA is supported and available for all accounts.

ii.

Role-based access

Separate roles for admins, members, viewers, and auditees. Access is scoped based on role.

iii.

Encryption

AES-256 encryption at rest across all databases and object storage. TLS 1.2+ in transit.

iv.

Vulnerability management

Dependency scanning and DAST run continuously. Public-facing systems scanned quarterly. Annual penetration test.

04 / AI & DATA HANDLING

How AI uses your data.

Oxus uses AI to process audit evidence. Here is exactly how that works, and what we do not do.

No training on your data

Customer data is not used to train or improve AI models, by Oxus or any of our AI subprocessors. This is enforced by provider data processing agreements.

Flexible AI deployment

Oxus can call a customer-hosted LLM, use customer-managed external API credentials, or manage the LLM provider directly, depending on your requirements.

AI augments, auditors decide

AI reduces manual work in evidence gathering, testing, and documentation. Final approvals and sign-offs remain with your team.

Subprocessor agreements

All AI subprocessors are engaged under DPAs covering confidentiality, security, and data-use restrictions.

More detail

Full documentation in our trust center.

Our trust center includes our SOC 2 Type II report, security policies, subprocessor list, and penetration testing summaries. We also complete security questionnaires on request.