Trust portal

Built audit-ready by default.

Every Praxara customer gets the evidence pack their auditor needs. Hosting in the EU, encryption end-to-end, MFA on by default for admins, SHA-256 chained audit log that any inspector can verify.

Azure West EU

Default hosting region

AES-256 + TLS 1.3

Encryption

MFA on by default

Admin authentication

SHA-256 chain

Tamper-evident audit

Procurement quick-share

One-pagers

Print-friendly summaries you can save as PDF and forward to security, procurement or your auditor. No Praxara account needed; the same content lives on this site.

Praxara at a glance

Positioning, frameworks, hosting, sub-processors, pricing, procurement contacts.

Open and print →

Security posture

Hosting, encryption, identity, audit chain, application security, DR, certifications.

Open and print →

AI governance posture

EU AI Act Articles 9 / 11 / 13 / 14 mapping, Annex 22 alignment, change-control.

Open and print →

Sample Compliance Pack (redacted)

Representative 8-artefact bundle with no customer data. Same structure your real pack will have on day-one of your pilot.

Download ZIP →

EU AI Act readiness checklist

28 self-assessment items across Articles 9 / 11 / 13 / 14 / 16 / 17 / 26 / 50 / 72.

Open and print →

Annex 22 readiness checklist

24 items across data governance, validation, oversight, audit, change-control.

Open and print →

Hosting

Azure West Europe by default. Regional residency on request.

Default region: West Europe (Netherlands)

All production data sits in Microsoft Azure West Europe. Geo-paired backups in North Europe (Ireland) for disaster recovery. UK South region available on request for customers whose data-protection officer requires UK-only residency.

Regional data residency

Database, blob storage, queue, search index and email outbox are all pinned to the customer's region. We do not replicate Controller personal data outside the EEA + UK without an executed SCC and a Transfer Impact Assessment.

Sub-processors disclosed + notified

Full sub-processor list maintained at /legal/subprocessors. Customers are notified at least 14 days before we onboard a new sub-processor and can object on reasonable grounds (DPA Art. 28(2)).

Network + isolation

App Service + managed Postgres on a private VNet. No direct database exposure to the public internet. Tenant isolation enforced at app middleware + Postgres row-level-security policies (defence in depth).

Encryption

TLS 1.3 in transit, AES-256 at rest, keys in Azure Key Vault.

In transit

TLS 1.3 enforced (TLS 1.2 minimum). HSTS preload. Modern cipher suites only. mTLS available on Enterprise for customer VPN ingress.

At rest

AES-256 on every Azure Blob container, every Postgres volume, every queue payload. Backups encrypted with the same key class. Customer-managed keys (CMK) available on Enterprise.

Key management

All secrets and signing keys live in Azure Key Vault with HSM-backed protection on Enterprise. Quarterly rotation for symmetric keys, automatic rotation for managed certificates. No secret material ever in code or env files in the repository.

Authentication

MFA on by default for admins. SAML SSO on Enterprise.

Multi-factor authentication

MFA (TOTP) is enforced for every ADMIN user by default. Tenant administrators can enforce MFA for all users in a single switch. Backup codes are bcrypt-hashed and shown once. Recovery requires another administrator.

SAML SSO (Enterprise)

SAML 2.0 SSO with Azure AD, Okta, Google Workspace, and OneLogin. Just-in-time user provisioning, group-to-role mapping, and forced re-authentication for sensitive actions.

Password policy (NIST 800-63B aligned)

Minimum 12 characters, banned-password list checked against HaveIBeenPwned, bcrypt at cost-12, no forced rotation (per NIST guidance), automatic lockout after repeated failures.

Session management

JWT access tokens (15 min) with rotating refresh tokens (7 d). Per-device session list with one-click revoke. All tokens revoked on password change, MFA reset, or admin-initiated lockout.

Audit chain

SHA-256 chained, ALCOA+ aligned, verifiable on demand.

Every action — login, document upload, AI call, e-signature, export — is written to an append-only audit log. Each row contains a SHA-256 hash of itself plus the previous row, so tampering anywhere in the chain breaks every later row's hash.

The audit log is ALCOA+ aligned: Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, Available. This is the form an FDA or MHRA inspector expects.

Tenant administrators can verify the chain on demand from app.praxara.io/audit and export a CSV for inspector review.

What gets logged

User logins, MFA challenges, role changes, document uploads + downloads, AI model calls (provider, model, tokens, cost, latency), workflow transitions, e-signature events, settings changes, sub-processor changes, GDPR DSR actions, and admin-side configuration changes. Retention: 7 years on Enterprise (configurable), 13 months on Professional.

Certifications + attestations

What we have, what's in flight, what's next.

SOC 2 Type IIStatus: In observation Q1 2026 — target Q3 2026 awarded

AICPA Trust Services Criteria — Security, Availability, Confidentiality. External auditor engaged.

Observation period started Q1 2026. Type II report issued under NDA.

ISO/IEC 27001:2022Status: Gap analysis Q1 2026 — target Q4 2026

Information Security Management System covering policy, people, technology and operations. SoA + Annex A controls maintained in docs/compliance/.

Gap analysis complete. Stage 1 audit booked H2 2026.

Cyber Essentials Plus (UK)Status: Target Q2 2026

IASME / NCSC scheme covering boundary firewalls, secure configuration, access control, malware protection and patch management.

Self-assessment complete; technical audit in scheduling.

Annual penetration testStatus: First test Q1 2026 — annual cadence

Black-box + authenticated testing of web app, API, and tenant isolation by an independent CREST-accredited tester.

Attestation letter and remediation summary on request under NDA.

Customers under NDA may request observation-period letters, gap-analysis reports, and pen-test attestations from [email protected].

Operations

Live operational evidence.

Sub-processor list

Maintained list of every third-party service that processes customer data, with purpose, data category, region and audit cadence. View list

Status page

Real-time status of API, dashboard, marketing site, document storage and audit chain. Last 90 days of uptime visible to anyone. status.praxara.io

Vulnerability disclosure

Security researchers can report findings to [email protected]. We acknowledge within 24 h, fix critical issues within 14 d, and credit reporters who consent. Bug-bounty programme launching H2 2026.

Responsible AI

Decision support, never auto-submit.

Human in the loop, always. Every AI output is reviewed and e-signed by a qualified human before export. Praxara does not auto-submit to any regulator.

No training on your data. Enterprise terms with Anthropic, Google, OpenAI and Azure exclude training use of customer inputs. Inputs are not retained beyond the call by any of the listed sub-processors.

Model card per skill. Every skill has a model card with intended use, training data scope, evaluation, known limitations, residual risks. Cards live in /admin/ai-governance.

EU AI Act ready. Article 9 risk register, Article 11 technical documentation, Article 13 transparency obligations and Article 14 human oversight controls all maintained in-platform.

Auditable to the model call. Any claim in any output can be traced back to the exact model call that produced it and the reviewer who approved it.

Drift detection. Skill outputs benchmarked weekly against a fixed evaluation set; regressions raise alerts in /admin/drift.

See it against your own documents.

20-minute demo. Bring a redacted CSR, PSMF, or ICSR. We'll run it live end-to-end.

Book a demo Pricing