Security & Trust

API Modernizer is built with a security-first architecture, following the Cloud Security Alliance's CAIQ structure with OWASP Top 10 (2021) mapping for every control.

Design Principles

  • Least privilege by default — no component has access beyond what it requires to perform its function
  • No customer data retention — uploaded source code and generated artifacts are automatically deleted 15 minutes after job completion
  • Zero trust between components — internal components communicate via explicit interfaces with validated inputs
  • Defence in depth — multiple independent security controls protect each attack surface
  • Transparency — all security controls are documented and verifiable

Technical Controls

  • TLS 1.2+ in transit, everywhere
  • AES/GCM encryption with securely generated random IVs
  • UUID-namespaced job isolation with automatic data deletion
  • Zip-slip and XXE protection on all file processing
  • Rate limiting and abuse protection on every public endpoint
  • Strict, allowlisted CORS — no wildcard origins

Compliance Posture

StandardStatus
OWASP Top 10 (2021)All 10 categories reviewed and addressed
GDPRData minimisation and retention limits by design
SOC 2 Type IIRoadmap — audit logging framework in place; formal certification planned
ISO 27001Roadmap — controls aligned; formal certification planned

We describe our security posture precisely: controls that are implemented today are stated as implemented; certifications that are in progress are stated as in progress, not claimed as complete.