Praxara
Back to Trust
One-pager / security
Praxara Ltd · Effective 1 May 2026

Security posture

A one-page summary of Praxara's security controls, hosting, identity and incident response

Hosting + tenancy

Microsoft Azure UK South + West Europe. App Service (B1) · Postgres Flexible Server (B_Standard_B2s) · Redis Cache · Blob storage with content-addressable sha256 keys. Customer Data row-isolated by tenantId; every API request middleware-asserts the user's tenantId against the resource being accessed.

Encryption

  • In transit: TLS 1.3, HSTS preload, no TLS <1.2 negotiation
  • At rest: Azure Storage Service Encryption (AES-256) on all blob, Postgres and Redis tiers
  • Secrets: Azure Key Vault, App Service env via @Microsoft.KeyVault references

Identity + access

  • SAML SSO (@node-saml/node-saml) wired; tenant-level enable
  • MFA: TOTP enrolment with backup codes; ADMIN / REVIEWER role enforce-on-login
  • 5-role RBAC: ADMIN · MANAGER · REVIEWER · OPERATOR · VIEWER
  • Session: JWT access (15 min) + refresh (7d default, 30d opt-in via "Remember me")
  • Passwords: bcrypt cost 12, minimum 12 chars, breach-list check on set

Audit + tamper-evidence

  • Append-only AuditLog with SHA-256 hash chain; previousChecksum + checksum on every row
  • Public verifier endpoint GET /api/audit/verify walks the chain; UI button on /audit
  • 21 CFR Part 11 e-signature on every approval action: re-entered password, controlled-vocabulary reason, signed-by-id
  • ALCOA+ fields on every record

Application security

  • Helmet + CSP, CORS allow-list, rate-limiting per route family
  • Express request middleware audit: IP, user-agent, session id captured on every authenticated call
  • Dependency scanning: GitHub Dependabot weekly; npm audit on CI
  • SAST: ESLint security plugins on CI; secret-scan on every push
  • External penetration test scheduled Sprint W5-W6 (vendor pick in flight)

Backup + DR

  • Azure Postgres point-in-time restore -- 7-day window
  • Daily blob snapshot + soft-delete enabled
  • RPO target 1h / RTO target 4h; first restore drill scheduled W7

Incident response

  • 24-hour breach notification commitment to Customer admins (DPA Article 33)
  • Sentry on the API; Azure Monitor on hosting
  • On-call paging coming online Sprint W8
  • Disclosure: [email protected]

Certifications + frameworks

Working towards -- ISO 27001 (gap analysis Q3 2026, full audit Q4 2026); SOC 2 Type II (first observation window Q3 2026); Cyber Essentials Plus (Q3 2026). HIPAA-readiness statement available at praxara.io/trust. Praxara is not currently SOC 2 / ISO 27001 / Cyber Essentials Plus certified.

Praxara Ltd, registered in England & Wales[email protected] · praxara.io/trust/one-pager-security