Security from the first commit.
Boxes was built for organisations that own their data. Cryptographic agent identity. Tamper-evident audit logs. SOC 2 Type II audited. ISO 27001 certified. HIPAA-eligible. Self-hostable on your own cloud.
Encryption in transit
TLS 1.3 everywhere — between browser and server, between services, between regions. HSTS preload. Perfect forward secrecy. No mixed content. No legacy cipher suites.
Encryption at rest
AES-256-GCM on every record in our datastore and every object in S3. Per-tenant keys derived from your account material. Customer-managed keys (BYOK/HYOK) on Enterprise.
Access control
SSO via SAML, OIDC, Okta, Azure AD, Google. SCIM provisioning. MFA enforced for admins. Role-based access on every surface. Session timeout configurable per tenant.
Cryptographic agent identity
Every agent carries a W3C DID and signs every action with Ed25519. Capability scopes (Arsenal ACT) bound by surface, recipient, spend, time. One-click revocation across every surface.
Tamper-evident audit log
Every action — human or agent — appended to a hash-chained log. Five-year retention. SIEM export to Splunk, Datadog, Elastic. Queryable by humans and auditors.
Infrastructure
Multi-region failover across US-East, US-West, EU-Central, EU-West. Workload isolation per tenant. Hardened OS images, no SSH access in production, ephemeral compute.
Vulnerability management
Annual third-party penetration tests. Continuous DAST/SAST. Snyk and Dependabot on every dependency. Public bug bounty via HackerOne. 24h SLA on critical reports.
Incident response
Documented IR playbook. On-call SRE rotation. Breach notification within 72 hours per GDPR. Post-mortems posted at status.boxes.sh.
Audited. Certified. Continuously verified.
Reports available under NDA — request via security@boxes.sh
SOC 2 Type II
Audited annually by an independent firm. Drata-tracked controls.
ISO 27001
Certified information security management system.
HIPAA-eligible
BAA available on Enterprise plan for covered health information.
GDPR + UK GDPR
EU-resident data residency. Standard contractual clauses (SCCs).
CCPA + LGPD
California, Brazil, and other major privacy regimes supported.
AI-specific governance
No training on customer content. Ever. Auditable model routing.
Pen-tested annually
Third-party network and application penetration tests.
Bug bounty
Public program via HackerOne. 24h SLA on critical reports.
Responsible disclosure
Found a vulnerability? Please report it to security@boxes.sh — we respond within 24 hours and publish acknowledgements with permission.