Security at Courtix
Our security posture, controls and how to report a vulnerability.
Version 1.0 · Last updated 2026-04-14
Overview
Courtix Hosting LLC builds and operates software for clients who care about security. This page summarises our security posture for procurement teams, auditors and anyone doing due diligence. For the detailed engineering process, see our Secure SDLC Policy.
Organisational controls
- Written security policies: Secure SDLC, acceptable use, incident response, access control and data retention.
- Background-checked engineers: all team members with production access are background-checked where local law permits.
- Least-privilege access: production access is scoped to the people actively working on a system.
- MFA everywhere: source control, cloud consoles, email and chat require multi-factor authentication.
Technical controls
- Encryption in transit: TLS 1.2 or higher on every public endpoint, HSTS on production systems we operate.
- Encryption at rest: managed via cloud-provider KMS (Cloudflare, AWS).
- Secrets management: platform secret stores; no secrets in source control or CI logs.
- Dependency scanning: automated on every build, with target remediation times published in our SDLC policy.
- Static and dynamic analysis: SAST on every pull request, DAST for systems handling regulated data.
- Infrastructure as code: all infrastructure is provisioned and versioned as code for repeatable, reviewable changes.
Payment processing
Card payments are processed through Wise and Stripe, regulated payment providers. Wise is authorised by the UK Financial Conduct Authority (FCA firm reference 900507). We do not store, log or retain cardholder data on our servers. Wise and Stripe handle PCI DSS compliance for card processing.
Data handling
- Data classification: we classify data as public, internal, confidential or restricted, with handling rules per class.
- Retention: data is retained only as long as required to deliver services or meet legal obligations. See our Privacy Policy.
- Deletion: on request or at end of engagement, client data is securely deleted from our systems and backups.
- Regional compliance: we honour GDPR data subject rights and support data residency requirements where applicable.
Compliance posture
- PCI DSS: aligned via Wise and Stripe as the regulated payment processors.
- GDPR: data subject rights supported; Data Processing Agreement available on request.
- SOC 2: controls mapped to SOC 2 Type I criteria; formal attestation in progress (placeholder, contact us for current status).
- HIPAA: we have delivered HIPAA-aligned systems for healthcare clients under BAAs.
Reporting a vulnerability
If you believe you’ve found a security vulnerability in any Courtix-operated system, we’d like to hear from you.
- Contact: security@courtix.com
- Response time: we aim to acknowledge reports within 24 hours and provide a remediation timeline within 5 business days.
- Good-faith researchers: we will not pursue legal action for responsible disclosure that follows this policy.
Please include:
- A clear description of the issue.
- Steps to reproduce.
- Any proof-of-concept you’re willing to share.
- Whether you’re willing to be credited publicly.
Sub-processors
We use a small number of third-party platforms and services to deliver our engagements. Any sub-processor with access to client data is disclosed before an engagement begins and is subject to the same security expectations as our own systems.
| Sub-processor | Purpose | Data handled |
|---|---|---|
| Amazon Web Services | Cloud hosting, compute, managed data, object storage, CDN | Application and customer data for workloads we run on AWS |
| Cloudflare | Edge network, CDN, WAF, DDoS protection, DNS, Zero Trust | Network traffic and metadata for production systems behind Cloudflare |
| GitHub | Source control, CI, dependency scanning | Source code and build artefacts |
| Wise | Card payment processing | Cardholder data (handled end-to-end by Wise under PCI DSS; we do not store card details) |
| Stripe | Payments and billing (when used in client engagements) | Cardholder data and billing metadata for the engagements it is used on |
| Managed LLM APIs | AI inference for applications that require it | Only the data the application is designed to send, per the engagement-level data flow |
Additional platform choices (Google Cloud, Microsoft Azure, dedicated infrastructure) may be introduced per engagement at the client’s request and are disclosed in the engagement contract.
Procurement and due diligence
For enterprise procurement and vendor onboarding, we provide:
- Data Processing Agreement (DPA): signed on request, aligned with GDPR Article 28 requirements.
- Business Associate Agreement (BAA): available for healthcare engagements that require one.
- Security questionnaires: we complete SIG Lite and CAIQ-Lite questionnaires for enterprise buyers on request.
- Subcontractor disclosure: any subcontractors with access to client data are disclosed before the engagement begins.
- Data retention and deletion: covered in our Privacy Policy and customised per engagement where required.
- Right-to-audit clauses: reviewed on a case-by-case basis; we’re comfortable with reasonable audit provisions for regulated industries.
We also provide, under NDA:
- Signed copies of our Secure SDLC and incident response policies.
- Penetration test summaries for systems we operate (scoped per engagement).
- Reference calls with current or recent clients for serious prospects.
Email security@courtix.com to start the due diligence process.