Security FAQ

Security Questions

Direct answers to the questions enterprise security teams, procurement reviewers, and technical evaluators raise most often. Certifications are scoped alongside the commercial engagements that require them — the architecture is built to carry every one of them.

CNSA 2.0 (US NSA) & NCSC-aligned (UK) — every customer, every packet

SOC 2

Commissioned on customer scope

AegisWire's engineering practices — logical access control, change management, continuous monitoring, encryption, incident response — are structured against the SOC 2 Trust Service Criteria. The evidence bundle that would feed a Type II audit is produced and maintained today.

The formal SOC 2 engagement is scoped alongside the commercial contract that requires it, rather than carried on the marketing site as a generic certificate. If your procurement requires SOC 2 Type II at signing, raise it in the commercial conversation and we will scope the auditor work alongside the engagement.

ISO 27001

Commissioned on customer scope

Information security management practices are documented and followed internally: access control policy, secure development lifecycle, incident response, asset management, supplier risk, and cryptographic controls.

The ISO 27001 certification engagement is scoped alongside the customer contract that triggers it — the ISMS documentation is already written to drop into the audit scope.

HIPAA

Available under commercial engagement

AegisWire ships the technical controls healthcare operators require: quantum-resistant encryption at rest and in transit, per-tenant isolation, comprehensive tamper-evident audit logging, and role-based access control.

HIPAA has no formal certification — it is a statutory framework enforced through Business Associate Agreements. A negotiated BAA and a formal HIPAA security risk assessment are bundled with healthcare engagements.

How do you test security?

Active

Security testing is internal and founder-led. The founding team has cryptographic engineering background and performs adversarial testing against the platform continuously.

Static analysis — gosec and staticcheck run in CI on every commit. Build fails on findings.
Dependency scanning — Automated monitoring of known vulnerabilities in the dependency tree.
Internal adversarial testing — Founder-led security testing against authentication, authorisation, API boundaries, and transport protocol.
Type-safe languages — Go and Rust with strict compiler settings eliminate classes of memory safety and type confusion vulnerabilities.

No external penetration test has been conducted. This is on our roadmap.

What data do you store?

Documented
Subscription and billing data — Organisation details, plan tier, payment metadata.
Metering events — Connection counts, data transfer volumes, device enrollments. Used for billing and capacity.
Audit logs — Security-relevant operations: authentication events, policy changes, administrative actions.
Device enrollment records — Device identity, certificate bindings, enrollment status.
Policy configurations — Network policies, access rules, gateway assignments.

We do not store, inspect, or log tunnel traffic content. AegisWire sees routing metadata only.

Can you offer self-hosted deployment?

Yes

AegisWire supports three deployment models, all running the same security architecture:

Managed cloud — We manage infrastructure, updates, and operations. Per-tenant isolation with dedicated management platform.
Self-hosted — Deploy on your own cloud or on-premise infrastructure. Full data residency control.
Hardware appliance — Pre-configured hardware with local PostgreSQL and hardware-bound licensing. Suitable for edge and sovereign deployments.

Do you support customer security reviews?

Yes

Yes. We welcome security reviews as part of procurement evaluation. We can provide:

  • Architecture documentation and security design overview
  • Completed security questionnaires (CAIQ, SIG, or your format)
  • Data processing addendum and privacy documentation
  • Direct technical discussion with the engineering team

Contact security@aegiswire.com to begin a review.

How do you handle vulnerabilities?

Policy Published

We maintain a published Vulnerability Disclosure Policy with safe harbour provisions for good-faith security researchers.

48-hour acknowledgement on all reports to security@aegiswire.com
5 business day triage with severity assessment and initial response
Safe harbour for researchers who follow the disclosure policy
Ongoing communication with the reporter throughout remediation

Trust Center

Our security architecture and assurance status

Vulnerability Disclosure

Report security issues responsibly