Built for regulated operators.
Valix meets SOC 2 Type II standards with end-to-end encryption, immutable audit logs, and role-based access. Every transaction logged. Every change traceable. Your data stays yours.
Certified
SOC 2 Type II attestation covers all critical controls
Our audit scope includes access controls, encryption, change management, and incident response. The attestation period runs 12 months.
Encryption
TLS 1.3 in transit, AES-256 at rest
All data moves encrypted. Keys are rotated quarterly and stored in hardware security modules. Access to encryption infrastructure requires multi-factor authentication and is logged.
Access
Role-based permissions down to the transaction
Assign permissions by property, entity, or function. Every user action and every AI decision is timestamped and immutable. Compliance teams can export full audit trails for regulatory review.
Direct answers. No hedging.
Common questions from CISOs, auditors, and procurement teams. Anything not covered here, our security team will answer under NDA.
What happens in a breach?
We notify affected parties within 24 hours and file required disclosures. All data is encrypted at rest and in transit, limiting exposure. Our incident response plan is tested quarterly with tabletop exercises.
Is Valix SOC 2 audited?
Yes. We maintain SOC 2 Type II covering security, availability, and confidentiality. Attestation reports are available under NDA for enterprise clients. Audit cadence is annual with continuous monitoring throughout the year.
Do you handle GDPR and CCPA?
We comply with both frameworks. Tenants and residents have rights to access, correction, and deletion. Data processing agreements are standard for all accounts. EU hosting available for enterprise customers.
Can we audit your logs?
Every financial transaction is logged with timestamp, user, IP, old-value and new-value. You can export audit trails from the compliance dashboard. Third-party auditors can request access under controlled conditions.
What about backups and recovery?
Data is backed up every 6 hours across geographically separated regions. Recovery time objective is under 4 hours; recovery point objective is 6 hours. We test restores monthly.
How is access controlled?
47 permission codes across 10 role types (RBAC). Enterprise customers get SSO via SAML or OIDC. MFA is required for all admin roles. Session tokens expire after 30 min of inactivity; impersonation tokens expire after 30 min total.