Propolyx.

Security at Propolyx

Built for the security
posture you require.

Enterprise procurement runs on confidential data — pricing schedules, security architectures, win/loss intelligence. Propolyx is built so that data stays under your control by default, not after a compliance review.

Customer-managed KMS

Every tenant's documents are encrypted at rest with a customer-managed KMS key. Propolyx holds no decryption authority outside the customer's KMS policy.

Tenant-isolated storage

S3 storage is partitioned by tenant ID with bucket policies that deny cross-tenant access. IAM Service Control Policies enforce the boundary at the role level.

Encrypted in transit

TLS 1.3 enforced for all external traffic. Internal service-to-service traffic uses mTLS via AWS PrivateLink where supported.

Auditable everything

Every generation, edit, approval, and export is written to a Propolyx-AuditLog DynamoDB table with a 90-day default retention (configurable).

Dedicated AWS account (Enterprise)

Enterprise tenants get a dedicated AWS account boundary — not a logical partition inside a shared account.

24/7 SOC

Round-the-clock security operations centre with a P0 time-to-detection target of <15 minutes and customer notification within 1 hour for incidents affecting CIA.

Certifications & attestations

Posture as of May 2026.

  • GDPR
    Compliant · DPA availableReady
  • SOC 2 Type I
    Engagement starting Q3 2026Active
  • HIPAA
    BAA template availableActive
  • SOC 2 Type II
    Roadmap · 2027Planned
  • FedRAMP Moderate
    Roadmap · 2027Planned
  • ISO 27001
    Roadmap · 2027Planned

Need reports?

SOC 2 Type II report (under NDA), latest penetration-test summary, BAA, and DPA templates are available on request.

Request documentation