Security

Security at Cruxi

Cruxi is built to protect customer accounts, workflow data, and regulatory project materials while supporting AI-assisted 510(k) and regulatory workflows. This page summarizes the current security posture for the platform and related trust operations.

Last updated: April 22, 2026 Applies to Cruxi production services Google Cloud hosted
Encrypted transport Customer traffic is served over HTTPS with security headers and browser protections enabled on production surfaces.
Protected secrets Sensitive production credentials are managed through Google Secret Manager rather than stored directly in live service configuration.
Controlled access Protected product workflows use authenticated access controls, session handling, and server-side authorization checks.
Operational hardening Agent-backed and long-running workflows are monitored with validation, recovery, and guarded processing paths.

Infrastructure and platform controls

  • Cruxi runs on Google Cloud-managed infrastructure.
  • The primary production Google Cloud Storage bucket used for current 510(k) document and submission artifact writes uses a customer-managed Cloud KMS key.
  • Managed database and supporting infrastructure layers are protected by infrastructure-level encryption at rest.
  • Sensitive production credentials are handled through Secret Manager-backed service configuration.
  • Production services are deployed with environment-specific configuration and controlled service accounts.

Application security

  • Authenticated workspaces and protected routes are gated by server-side access checks.
  • Email/password account creation and reset flows require a strong password with length and complexity requirements.
  • Production web surfaces use security headers and browser protections designed to reduce common web attack exposure.
  • Rate limiting and request controls are enabled on production-facing flows to reduce abuse and instability risk.
  • Internal-only and diagnostic endpoints are restricted or disabled in production-facing operation.

Workflow and AI safeguards

Cruxi’s AI-assisted regulatory workflows are designed to support structured analysis while keeping server-side control over the output path.

  • Agent-backed workflows run inside authenticated product flows and project-scoped workspaces.
  • Structured validation, critic/review passes, and repair logic help prevent malformed outputs from being accepted as final workflow artifacts.
  • Long-running agent jobs use tracked status, recovery handling, and clearer failure states for customer-visible workflows.
  • Operational controls are designed to preserve workflow continuity during retries, temporary provider issues, and service recovery events.

Privacy and data handling

  • Cruxi does not sell customer data.
  • Private project data is not shared with other customers, consultants, or providers unless the customer explicitly authorizes that sharing through the product or a separate engagement flow.
  • Users can review related trust documents including the Privacy Policy, Subprocessors, and Data Processing Agreement.
  • Self-service deletion and formal request paths are available through product and legal/privacy workflows.

Monitoring and platform maintenance

  • Production posture is reviewed through ongoing internal code, configuration, and deployment hardening work.
  • Public-facing legal and trust pages are updated as production controls change.
  • Security-sensitive deployment changes are verified against live service readiness and configuration state.
  • Operational improvements are applied to reduce silent failures, strengthen recovery behavior, and improve workflow reliability.

Security and trust requests

For enterprise reviews, security questionnaires, DPA requests, or trust-document requests, contact privacy@cruxi.ai.

Related documents:

Customers with specific procurement or legal review needs can request additional trust documentation through the Cruxi team.