A plain-English description of how Quavix Messenger protects your data — the infrastructure, the controls, and what we do when something goes wrong.
Quavix Messenger runs on Amazon Web Services (AWS) in US-based regions. We do not operate our own data centers. All underlying infrastructure — compute, networking, storage, and backups — is provided by AWS, which maintains its own extensive security certifications including SOC 2 Type II, ISO 27001, and FedRAMP authorization.
Our application runs in an isolated environment with network access controls restricting inbound and outbound traffic to necessary services only. Production systems are separated from development and staging environments.
In transit: All data between users' browsers and the platform is transmitted over TLS 1.2 or higher. We enforce HTTPS on all endpoints. Older TLS versions and weak cipher suites are disabled.
At rest: All data stored on disk — database contents, file exports, and logs — is encrypted using AES-256 via AWS's managed encryption services (AWS KMS). Encryption keys are managed by AWS KMS with strict access controls.
Compliance archive: Message archives are stored in AWS S3 with server-side encryption (AES-256) and S3 Object Lock enabled in Compliance mode. Object Lock means that archived records cannot be deleted or overwritten by any party — including AWS administrators — for the duration of the 7-year retention period.
Role-based access: The platform enforces strict role-based access controls. Regular users can only access their own conversations. Compliance officers can access their organization's archived messages through the compliance portal. Platform administrators have access to operational systems but not to message content without audit logging.
Compliance portal access: Access to the compliance archive is restricted to users explicitly granted compliance access by a platform administrator. Every action taken in the compliance portal is logged with the actor's identity, IP address, session identifier, and timestamp. These logs are themselves append-only and cannot be deleted.
Internal access: Quavix employees do not have routine access to message content. Access to production systems requires multi-factor authentication and is limited to engineers with a documented operational need. All privileged access is logged.
Authentication: User accounts are protected by password-based authentication with enforced complexity requirements. Session tokens are rotated on authentication and expire after a configurable inactivity period.
The compliance archiving mechanism operates at a layer below the application. Messages are written to the archive at the moment of sending — before delivery to the recipient. The archive is enforced at the infrastructure level, not in application code, which means a compromised application cannot suppress or alter archiving.
The archive storage layer uses AWS S3 Object Lock in Compliance mode. This is a WORM (Write Once, Read Many) configuration. Once an object is written, it cannot be modified or deleted by any user, including root-level AWS credentials, during the retention period. This satisfies the non-rewritable, non-erasable storage requirements of SEC Rule 17a-4.
Compliance exports are accompanied by SHA-256 checksums and cryptographically signed manifests, allowing recipients to verify that exported files have not been tampered with since generation.
All production services sit behind AWS security groups that restrict access to necessary ports and sources only. No database or internal service ports are exposed to the public internet.
We employ web application firewall (WAF) rules to block common attack patterns. Rate limiting is applied to authentication endpoints to limit brute-force attempts.
Our infrastructure configuration is managed as code and reviewed before deployment. Configuration changes to security-sensitive settings require review.
We keep application dependencies up to date and monitor security advisories for the libraries and frameworks we use. Critical security patches are applied as quickly as operationally feasible.
We do not currently have a public bug bounty program. If you discover a potential security vulnerability, please report it to security@quavix.com. We will acknowledge receipt within 2 business days and work to remediate confirmed issues promptly. We ask that you not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.
Database backups are taken daily and retained for 30 days. Backups are stored in a separate AWS region from primary data. We test backup restoration periodically.
The compliance archive in S3 Object Lock is inherently durable — AWS S3 is designed for 99.999999999% (11 nines) object durability and replicates data across multiple availability zones.
We target high availability but do not guarantee a specific uptime SLA in the standard offering. Enterprise availability requirements can be discussed during onboarding.
We maintain an incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a personal data breach affecting Controller data, we will:
Security incidents that do not involve personal data (e.g., service disruptions, failed intrusion attempts) will be communicated through our status page.
Quavix Messenger does not currently hold its own SOC 2 Type II certification. We rely on AWS's certifications for underlying infrastructure. Obtaining SOC 2 certification is on our roadmap. If your organization requires SOC 2 before onboarding, please contact us at security@quavix.com to discuss the current status and timeline.
Our compliance archive infrastructure is designed to satisfy SEC Rule 17a-4 and FINRA Rule 4511 non-erasable, non-rewritable storage requirements. We recommend that regulated organizations confirm applicability with their own legal counsel.
Security disclosures and inquiries: security@quavix.com
General legal and compliance inquiries: legal@quavix.com