Security & Trust
API Modernizer is built with a security-first architecture, following the Cloud Security Alliance's CAIQ structure with OWASP Top 10 (2021) mapping for every control.
Design Principles
- ✓Least privilege by default — no component has access beyond what it requires to perform its function
- ✓No customer data retention — uploaded source code and generated artifacts are automatically deleted 15 minutes after job completion
- ✓Zero trust between components — internal components communicate via explicit interfaces with validated inputs
- ✓Defence in depth — multiple independent security controls protect each attack surface
- ✓Transparency — all security controls are documented and verifiable
Technical Controls
- •TLS 1.2+ in transit, everywhere
- •AES/GCM encryption with securely generated random IVs
- •UUID-namespaced job isolation with automatic data deletion
- •Zip-slip and XXE protection on all file processing
- •Rate limiting and abuse protection on every public endpoint
- •Strict, allowlisted CORS — no wildcard origins
Compliance Posture
| Standard | Status |
|---|---|
| OWASP Top 10 (2021) | All 10 categories reviewed and addressed |
| GDPR | Data minimisation and retention limits by design |
| SOC 2 Type II | Roadmap — audit logging framework in place; formal certification planned |
| ISO 27001 | Roadmap — controls aligned; formal certification planned |
We describe our security posture precisely: controls that are implemented today are stated as implemented; certifications that are in progress are stated as in progress, not claimed as complete.
