Security FAQ
Straight answers for security teams
The questions enterprise security reviewers, procurement, and technical evaluators raise most often — answered directly, with no hedging. The transport is post-quantum on every packet for every customer. Certifications are scoped alongside the commercial engagements that require them; the architecture is built to carry every control those audits examine.
The first question, answered
“Are you actually post-quantum, or is that marketing?”
It is the wire format, not a slide. The AWT_UNIFIED transport runs a hybrid key exchange — a quantum-safe KEM combined with classical elliptic-curve — on every session, alongside post-quantum identity signatures and authenticated record encryption. There is no “classic mode” toggle and no per-customer downgrade: the same suite protects every packet for every tenant.
The posture aligns to the US NSA CNSA 2.0 suite in full and to UK NCSC post-quantum guidance. That answers the harvest-now-decrypt-later question for regulated buyers in one line: traffic captured today is not decryptable by a future quantum adversary.
Post-quantum cryptography
The primitives behind every session
Procurement & assurance
Certifications, controls, and how we operate
SOC 2
Commissioned on customer scopeOur engineering practices — logical access control, change management, continuous monitoring, encryption, incident response — are structured against the SOC 2 Trust Service Criteria. The evidence bundle that would feed a Type II audit is produced and maintained today, and git history is treated as an append-only change log (no rewrites of pushed commits).
The formal SOC 2 engagement is scoped alongside the commercial contract that requires it, rather than carried on the marketing site as a generic certificate. If your procurement requires SOC 2 Type II at signing, raise it in the commercial conversation and we will scope the auditor work alongside the engagement.
ISO 27001
Commissioned on customer scopeInformation security management practices are documented and followed internally: access control policy, secure development lifecycle, incident response, asset management, supplier risk, and cryptographic controls.
The ISO 27001 certification engagement is scoped alongside the customer contract that triggers it — the ISMS documentation is already written to drop into the audit scope.
HIPAA
Commissioned on customer scopeAegisWire ships the technical controls healthcare operators require: quantum-resistant encryption in transit and at rest, per-tenant isolation, comprehensive tamper-evident audit logging, and role-based access control. Tunnel traffic content is never stored, inspected, or logged.
HIPAA has no formal certification — it is a statutory framework enforced through Business Associate Agreements. A negotiated BAA and a formal HIPAA security risk assessment are bundled with healthcare engagements.
GDPR & UK GDPR
AegisWire is operated by ITLOX LTD (England & Wales) and ITLOX, Inc. (Delaware, USA), so EU/UK data protection is a first-class design constraint, not a bolt-on. We provide a Data Processing Addendum and Standard Contractual Clauses / IDTA on request, and self-hosted and regional-gateway deployments give you full data-residency control.
Because the gateway sees routing metadata only — never tunnel content — the data-minimisation and purpose-limitation principles are enforced by the architecture itself, not by policy promises alone.
How do you test security?
ContinuousSecurity testing is continuous and adversarial, run by the same cryptographic engineering team that builds the platform — the people attacking it are the people who know exactly where it could break.
Independent penetration testing follows the same model as our formal certifications: commissioned on customer scope, alongside the enterprise engagement that requires it.
What data do you store?
DocumentedWe do not store, inspect, or log tunnel traffic content. The gateway sees routing metadata only — the payload is end-to-end encrypted under per-session post-quantum keys it never holds.
Can you offer self-hosted deployment?
Yes. AegisWire supports multiple deployment models, all running the same post-quantum security architecture — and gateways are multi-vendor, so you are never locked to a single cloud:
What happens when something fails?
The platform fails closed. If trust cannot be established or a session goes stale, traffic is blocked — never silently sent in the clear.
Do you offer behavioural threat detection?
Licensed plugin Licensed Add-OnAI Sentinel is a separately licensed add-on that layers anomaly detection on top of the transport — entity-graph and temporal detectors plus device-posture admission, so a session can be required to prove the endpoint’s security posture before it is admitted.
It runs in monitor-first mode and is tenant-isolated: models do not train across tenants. Sentinel is optional — the core post-quantum transport and fail-closed posture stand on their own without it.
Do you support customer security reviews?
Yes. We welcome security reviews as part of procurement evaluation. We can provide:
- Architecture documentation and a security-design overview
- Completed security questionnaires (CAIQ, SIG, or your format)
- Data processing addendum and privacy documentation
- Direct technical discussion with the engineering team
Contact security@aegiswire.com to begin a review.
How do you handle vulnerabilities?
Policy publishedWe maintain a published Vulnerability Disclosure Policy with safe-harbour provisions for good-faith security researchers.
Talk to engineering
Request an architecture briefing
A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.