Solexi Trust Center

Security & Trust

How we protect the most sensitive content you will ever entrust to a digital platform — your memories, your intentions, and your family's future.

Encryption in transit: TLS 1.3 Encryption at rest: AES-256 MFA: available (TOTP) Last reviewed: 2026-03-20

📋 Contents

Security principle Our approach to trust Security controls What is active today Threat model What we protect against Security roadmap 24-month plan Compliance & frameworks Laws and standards Security contact Report a vulnerability

🔒 Security Principle

Trust is earned through precision, not hype. This page documents Solexi's security posture honestly, including what is active today, what is being implemented, and what is planned. We do not claim certifications we have not obtained or controls we have not implemented.

Founding Cohort (2026): Solexi is in pre-launch phase. Security foundations are being established in parallel with product development. Waitlist data is protected by the controls documented below. Vault content will be subject to full Phase 1 controls before general access opens.
Privacy-by-design: We minimize data collection, document governance clearly, and default to the most restrictive access rules unless you explicitly grant broader permissions.

🛡️ Security Controls

Current status of each control. ● Active means implemented. ● In progress means being deployed. ● Roadmap means scheduled.

🔐 Encryption in Transit ● Active

Protocol: TLS 1.2 minimum, TLS 1.3 preferred on all endpoints.

HSTS: HTTP Strict Transport Security enforced with 1-year max-age.

Certificate: Valid TLS certificate via trusted CA; auto-renewed.

Ciphers: Modern cipher suites only (ECDHE, AES-GCM, CHACHA20). Weak ciphers (RC4, 3DES) disabled.

💾 Encryption at Rest ● Active

Algorithm: AES-256-GCM for stored vault content and account data.

Key management: Cloud provider KMS (envelope encryption). Data encryption keys rotated annually or on demand.

Database: Storage-layer encryption enabled at the infrastructure level.

🔑 Authentication ● Partial

Passwords: Bcrypt hashing (cost factor ≥ 12). Minimum 10 characters enforced.

MFA: TOTP-based MFA available (Google Authenticator, Authy). Recovery codes issued at setup.

Rate limiting: Login attempts rate-limited to prevent brute-force.

Coming: Passkey / WebAuthn support (Phase 2).

👥 Access Control (RBAC) ● Active

Model: Role-Based Access Control. Permissions scoped by person, content category, and time trigger.

Heir access: Read-only by default. Edit or download rights must be explicitly granted by vault owner.

Internal: Least-privilege principle. Support staff have no access to vault content without an active incident or explicit owner request.

📋 Audit Logging ● Active

Events logged: Authentication, file access, permission changes, delivery triggers, admin actions.

Retention: 90 days rolling. Extended retention available on request for legal or incident purposes.

Export: Log exports available to account owner on written request to [email protected].

🗄️ Backups & Recovery ● Active

Cadence: Automated daily backups of all vault and account data.

Retention: 30-day rolling backup history.

Testing: Restore tests performed quarterly. Results logged internally.

Coming: Multi-region redundancy (Phase 2).

🔍 Vulnerability Management ● Partial

Dependencies: Automated dependency scanning on every code push.

Patches: Critical vulnerabilities patched within 72 hours. High-severity within 7 days.

Coming: Annual penetration testing (Phase 2, H2 2026).

🚨 Incident Response ● Active

Contact: [email protected] — triaged within 24 hours for critical issues.

Severity levels: Critical (service outage / data breach) → immediate response. High → 24 h. Medium → 72 h.

Notification: Affected users notified per Loi 25 (Québec) and applicable laws. Serious incident register maintained.

Third-Party Vendors (Processors)

Vendor / Category Purpose Data location DPA / Safeguards
Cloud infrastructure (hosting) Compute, storage, CDN Canada / US Standard contractual clauses; data processing agreement in place
Transactional email Account notifications, delivery triggers US (EU Standard Clauses) Data processing agreement; no marketing use of email list
Authentication provider SSO / OAuth tokens (if enabled) US / Canada Standard contractual clauses
Analytics (privacy-focused) Aggregate usage metrics — no personal identifiers EU / Canada No cookies; no cross-site tracking; GDPR-compliant by design

Full sub-processor list available on request: [email protected]. We update this list within 30 days of adding a new processor.

⚠️ Threat Model (Plain English)

What we protect against, and how:

🎭
Account takeover
Mitigated by: rate-limited login, TOTP MFA, compromised-password detection, session invalidation on password change, login alerts.
👨‍👩‍👧
Unauthorized heir / third-party access
Mitigated by: explicit RBAC permissions, identity verification steps before release, owner-controlled rules for all trigger conditions.
💥
Data loss / platform failure
Mitigated by: daily automated backups, 30-day retention, quarterly restore tests, export-at-will (portable ZIP archive).
🏢
Insider risk
Mitigated by: least-privilege access, audit logs for all internal actions, no staff access to vault content without documented reason.
🔓
Supply-chain / dependency attack
Mitigated by: automated dependency scanning on every push, pinned package versions, critical patches within 72 hours.
📡
Network interception
Mitigated by: TLS 1.3 on all endpoints, HSTS enforcement, HSTS preloading planned (Phase 2).
What we do not protect against: Compromise of the user's own device (malware, physical access). We recommend enabling device-level encryption and locking your screen. We cannot accept liability for threats originating from the client side.

🗺️ Security Roadmap (2026 – 2027)

Solexi follows a phased security maturity model aligned with ISO 27001 principles, SOC 2 criteria, and the NIST Cybersecurity Framework. Below is our committed timeline.

Transparency note: Timelines reflect current planning and may shift based on operational scale, funding, and regulatory requirements. We will update this page when milestones are reached.
P1
Phase 1 — Foundation (0 – 3 months · Q1–Q2 2026)
Status: In progress
  • Enforce HTTPS / TLS 1.3 on all endpoints ✓ Active
  • AES-256 encryption at rest ✓ Active
  • Role-based access control (RBAC) ✓ Active
  • TOTP-based MFA for all user accounts ✓ Available
  • Centralized logging & monitoring — deploying
  • Incident response plan (documented) — finalizing
P2
Phase 2 — Hardening (3 – 6 months · Q2–Q3 2026)
Status: Planned
  • Annual third-party penetration test (first engagement Q3 2026)
  • Automated SAST / DAST scanning integrated in CI/CD pipeline
  • Incident response plan tested via tabletop exercise
  • Backup redundancy — multi-region replication
  • Security awareness program for all team members
  • Passkey / WebAuthn support
P3
Phase 3 — Compliance & Certification (6 – 12 months · H2 2026)
Status: Scheduled
  • SOC 2 Type I readiness assessment & audit engagement
  • Formal risk assessment (asset register, threat scoring)
  • Data classification framework (public / internal / confidential / vault)
  • Vendor risk management process (annual review cycle)
  • Privacy Impact Assessments (PIA) for all new features using personal data
  • Loi 25 (Québec) full compliance documentation published
P4
Phase 4 — Maturity (12 – 24 months · 2027)
Status: Future
  • SOC 2 Type II certification
  • ISO 27001 readiness review
  • Continuous security monitoring (SIEM platform)
  • Zero-trust architecture enhancements
  • Annual independent third-party audit cycle
  • Bug bounty program launch

⚖️ Compliance & Legal Frameworks

Privacy Laws

  • Canada (Federal): PIPEDA (Personal Information Protection and Electronic Documents Act)
  • Québec: Act respecting the protection of personal information in the private sector, as amended by Loi 25 (Bill 64)
  • European Union (if applicable): GDPR — standard contractual clauses applied for EU data subjects
  • United States (as applicable): CCPA / CPRA (California) and equivalent state-level laws

Intellectual Property

  • USPTO compliance: Solexi respects applicable U.S. patent and trademark law (35 U.S.C. §101–103, §112, §271; 37 CFR Part 1)
  • Confidentiality: Unpublished patent application content handled under strict internal NDAs
  • Third-party IP: Open-source licenses audited; no GPL-contamination in commercial codebase

Security Standards (reference)

  • ISO/IEC 27001 — information security management (target: Phase 4)
  • SOC 2 Trust Services Criteria — Security, Availability, Confidentiality (target: Phase 3)
  • NIST Cybersecurity Framework — current reference model

📬 Security Contact & Responsible Disclosure

Report a Vulnerability

If you discover a security issue, we ask that you disclose it responsibly before making it public. We commit to:

  • Acknowledge your report within 48 hours
  • Provide a status update within 7 business days
  • Credit researchers who report valid issues (unless they prefer anonymity)
  • Not pursue legal action against good-faith researchers
Security email: [email protected]
Response time: 48 h acknowledgement · 7 days status update

Privacy Officer

Name: Daniel Tanguay

Role: CEO & Founder — RPRP (Responsable de la protection des renseignements personnels)

Email: [email protected]

Phone: +1-514-570-3074

Address: 527 rue Lacasse, Terrebonne, QC J6W 4Y7, Canada

Entity: Solexi.ai Inc.

For general inquiries: solexi.ai/contact/
Privacy Policy: solexi.ai/privacy/