Security
TTXLab uses layered controls to protect organization data, exercise workflows, and generated report artifacts.
Encryption
All network traffic between clients and TTXLab services is encrypted in transit using TLS 1.3. Data stored by our infrastructure providers is encrypted at rest using AES-256 via provider-managed keys (Convex for database storage, Vercel for edge and serverless deployments). These controls apply to exercise data, generated reports, and account information.
Hosting and infrastructure
TTXLab is hosted on Vercel for front-end hosting, CDN, and serverless compute, and uses Convex for backend database, real-time sync, and server-side logic. Both providers operate US-based infrastructure with their own security programs and certifications. For details on all vendors that process customer data, see the subprocessor table on the Trust Center page.
Authentication and access boundaries
Authentication is provided through Convex Auth. Protected routes require valid session state, and backend operations enforce organization membership or invite-scoped guest access before data access is granted. Role authorization is applied for privileged actions such as exercise administration, billing operations, and report generation workflows.
This model is intended to prevent cross-organization data access and ensure users only interact with records associated with approved workspaces.
Artifact protection and report delivery
Exercise artifacts are persisted with retention controls and delivered through authenticated interfaces. Ephemeral report delivery can use one-time tokenized links with expiry and single-use semantics, reducing replay risk for sensitive exports.
Administrators should align artifact retention with organizational policy and ensure internal distribution controls are applied once reports are exported.
Backup and disaster recovery
Platform data stored in Convex is subject to Convex's built-in replication and backup mechanisms. Vercel deployments use immutable artifacts with instant rollback capability. TTXLab maintains operational procedures for incident response and service restoration. Recovery objectives are aligned with provider capabilities and are refined as the platform matures.
AI provider disclosure
TTXLab uses two AI providers for exercise workflows, both accessed via the Vercel AI Gateway (API-only integration). Exercise data is processed through API calls only and is not used for model training by either provider.
- Google Gemini — powers AI facilitation during exercises (API-only, no training on customer data).
- Anthropic Claude — powers AI adjudication and scoring (API-only, no training on customer data).
For the full list of vendors and data categories, see the Trust Center.
Operational monitoring and auditability
Platform telemetry can be enabled for performance and incident diagnostics. Audit events are written for key lifecycle transitions including exercise creation, participant assignment, launch, pause, resume, and completion. These records support internal reviews and post-exercise traceability.
SOC 2 roadmap
TTXLab is actively working toward SOC 2 Type II readiness. This certification has not yet been achieved. We are maturing internal controls, formalizing policies, and aligning operational practices with Trust Services Criteria. We will only represent formal attestation after an independent audit is complete. For current status, contact us via the contact page.
Vulnerability disclosure policy
If you discover a potential security vulnerability in TTXLab, please report it responsibly to support@ttxlab.com with timestamps, affected endpoints, reproduction steps, and impact details.
Response timeline: We aim to acknowledge receipt within 2 business days and provide an initial assessment within 5 business days. Critical vulnerabilities are prioritized for remediation. We will coordinate disclosure timelines with the reporter before any public communication.
Safe harbor: Security researchers acting in good faith to identify and report vulnerabilities will not face legal action from TTXLab for their research activities, provided they do not access, modify, or delete data belonging to other users, degrade platform availability, or disclose findings publicly before coordinated resolution.
Machine-readable security contact information is available at /.well-known/security.txt.
Related documentation
Review the Privacy Policy for data retention and handling practices, the Trust Center for subprocessors, SLA posture, and procurement resources, the Terms of Service for usage obligations, and the Data Processing Agreement for GDPR-related processor commitments.
Shared responsibility guidance
TTXLab secures the managed platform controls, while customers remain responsible for account hygiene, role governance, and secure distribution of exported artifacts inside their environment. Teams should enforce MFA where available, keep member access current, and review outbound report sharing practices. This shared model helps preserve clear ownership boundaries and supports effective incident response if an issue occurs.
We also recommend periodic tabletop program retrospectives that evaluate technical controls and process adherence together, so remediation plans are grounded in both tooling behavior and real team execution.