Security at Propolyx
Built for the security
posture you require.
Enterprise procurement runs on confidential data — pricing schedules, security architectures, win/loss intelligence. Propolyx is built so that data stays under your control by default, not after a compliance review.
Customer-managed KMS
Every tenant's documents are encrypted at rest with a customer-managed KMS key. Propolyx holds no decryption authority outside the customer's KMS policy.
Tenant-isolated storage
S3 storage is partitioned by tenant ID with bucket policies that deny cross-tenant access. IAM Service Control Policies enforce the boundary at the role level.
Encrypted in transit
TLS 1.3 enforced for all external traffic. Internal service-to-service traffic uses mTLS via AWS PrivateLink where supported.
Auditable everything
Every generation, edit, approval, and export is written to a Propolyx-AuditLog DynamoDB table with a 90-day default retention (configurable).
Dedicated AWS account (Enterprise)
Enterprise tenants get a dedicated AWS account boundary — not a logical partition inside a shared account.
24/7 SOC
Round-the-clock security operations centre with a P0 time-to-detection target of <15 minutes and customer notification within 1 hour for incidents affecting CIA.
Certifications & attestations
Posture as of May 2026.
- GDPRCompliant · DPA availableReady
- SOC 2 Type IEngagement starting Q3 2026Active
- HIPAABAA template availableActive
- SOC 2 Type IIRoadmap · 2027Planned
- FedRAMP ModerateRoadmap · 2027Planned
- ISO 27001Roadmap · 2027Planned
Need reports?
SOC 2 Type II report (under NDA), latest penetration-test summary, BAA, and DPA templates are available on request.
Request documentation