Legal

Security at Valuxe

Our customers handle some of the most sensitive financial information in the world. Here's how we keep it safe.

Last updated: 18 May 2026

Important: This page describes our current security posture. Specifics evolve as we add controls and certifications — the live page is the source of truth.

Infrastructure

Valuxe runs entirely on Amazon Web Services in the eu-west-2 (London) region. All compute, storage, and message queues operate within a private VPC; only the public API gateway and the marketing site are exposed to the internet.

  • PostgreSQL 16 with encryption at rest (AWS KMS) and TLS in transit.
  • Object storage on S3 with bucket-level encryption and server-side encryption keys rotated quarterly.
  • Redis for ephemeral caching and progress streams; no persistent customer data.
  • SQS message queues for asynchronous valuation jobs and OCR processing.

Multi-tenant isolation

Every row in our database carries a TenantId column. Every query enforces tenant scoping at the application layer — there is no global query path that could return another tenant’s data even accidentally. Tenant data is never co-mingled in object storage either; documents live undertenants/{tenantId}/valuations/{id}/... object keys that are validated on every read.

Encryption

  • In transit: TLS 1.2+ everywhere. The marketing site, the product app, and the API all enforce HSTS.
  • At rest: AES-256 for the database, object storage, and all backups.
  • Key management: AWS KMS customer-managed keys; access audited through CloudTrail.

Authentication and authorisation

  • Passwords hashed with bcrypt (work factor 12+).
  • Session tokens are JWTs signed with HS256 and rotated on every login.
  • Role-based access control (RBAC) with five built-in roles (Admin, Senior Analyst, Analyst, Reviewer, Viewer) plus a Client role for the customer portal.
  • Four-eyes approval principle — the same user cannot both create and approve a valuation.
  • API keys for server-to-server integrations are HMAC-hashed; the plaintext key is shown once at creation.
  • Two-factor authentication (TOTP) available for all users; required for Admin roles on Enterprise plans.

AI and your data

Valuxe’s AI engine runs on AWS Bedrock. We have contractual commitments from AWS that prompts and completions are not used to train Amazon’s or any third party’s foundation models. Inference happens within the AWS network boundary; nothing transits to a third-party LLM vendor.

Audit logging

Every state-changing action — login, document upload, valuation run, approval decision, role change — is recorded in an immutable audit log scoped to the tenant. Admins can export their audit log on demand through the in-app settings.

Backups and disaster recovery

  • Database point-in-time recovery to any second in the last 35 days.
  • Daily full snapshots retained for 90 days, encrypted with KMS.
  • Cross-region backup replication for Enterprise plans.
  • Documented runbooks tested quarterly. Recovery objectives:
    • RPO (recovery point): 5 minutes
    • RTO (recovery time): 4 hours

Vulnerability management

  • All dependencies scanned daily for known CVEs; high/critical findings patched within 7 days.
  • Static analysis on every pull request.
  • Annual third-party penetration test; report available under NDA.
  • Responsible-disclosure program: report findings to security@valuxe.example.

Compliance

  • UK GDPR / EU GDPR — see our Privacy Policy.
  • SOC 2 Type I — in progress, target Q3 2026.
  • SOC 2 Type II — target Q4 2026.
  • ISO 27001 — under consideration for 2027.

Incident response

We maintain a 24/7 on-call rotation for production issues. If a security incident affecting customer data occurs, we will notify affected tenants within 72 hours of confirming impact, in line with UK GDPR Article 33. Notifications go to the email address of every Admin user on the affected tenant.

Subprocessors

Our current subprocessor list:

  • Amazon Web Services — infrastructure, AI (Bedrock), email (SES).
  • Stripe — payment processing for subscriptions.

We notify Admin users by email 30 days before adding a new subprocessor that has access to customer personal data.

Reporting a security issue

If you believe you’ve found a vulnerability in Valuxe, please email security@valuxe.example. Include reproduction steps and any relevant logs. We acknowledge reports within 48 hours and will keep you posted on triage and remediation.

Questions about this document? Email legal@valuxe.example and we'll respond within five business days.