Security Overview

Last updated: July 17, 2026

This page describes the security measures in place for Paraxis Console, operated by Manyu Space Systems Pvt. Ltd. We aim to be precise about what we do — and equally precise about what we do not yet have. Paraxis Console is in an invite-only private beta.

1. Infrastructure

The Service runs on Google Cloud Platform (Cloud Run and Cloud SQL Postgres) in the us-central1 region, United States. User avatars and organization logos are stored in S3-compatible object storage; no other customer data is stored there. Simulation engines are first-party services operated by the Company on GCP. Real-time collaboration runs through a Company-operated sync server.

2. Encryption

  • All traffic to and within the Service is encrypted in transit with TLS.
  • Data is encrypted at rest using Google Cloud's default encryption.

3. Access control

  • The Service is invite-only, and account access is gated by administrator approval.
  • All project and mission data is scoped to organizations; access controls enforce organization membership.
  • Authentication uses session cookies (better-auth).

4. Application security measures

  • API keys are stored hashed and have mandatory expiry.
  • Outbound webhooks are HMAC-signed so receivers can verify authenticity.
  • Actions are audit-logged, and audit records for requirements changes are hash-chained so tampering is detectable.
  • AI-originated requirement changes require an explicit review-and-apply step and are marked as AI-generated.

5. What we do not have (yet)

In the interest of honesty:

  • No third-party certifications. We do not hold SOC 2, ISO 27001, or similar certifications. Our cloud providers hold their own certifications, but those do not transfer to us and we do not claim them.
  • No penetration test yet. We have not yet commissioned an independent penetration test of the Service.
  • No bug bounty program. We accept responsible disclosures (below) but do not currently pay bounties.
  • No SLA. During the beta there is no service-level agreement or uptime guarantee.

6. Responsible disclosure

If you discover a security vulnerability, please report it to security@paraxis.space. Include enough detail for us to reproduce the issue, and give us a reasonable opportunity to fix it before public disclosure. Do not access other users' data or disrupt the Service while investigating; security testing of the Service without permission is prohibited by our Acceptable Use Policy.

7. Contact

Security reports: security@paraxis.space. General questions: support@paraxis.space.