Security — FluxMateria

Data handling

What we store

Input structures you submit (SMILES, SDF, compositions)
Computed results and metadata
Run configurations and provenance records
Audit log entries (append-only)

What we never do

Your data is not used to train models
Your data is not shared between customers
Your data is not sold or monetized
Your data is not accessed by staff without authorization

Your IP remains yours

FluxMateria does not acquire any rights to your molecular data, material compositions, or computational results. Your structures, analyses, and decision packets remain your intellectual property. We are a computation tool, not a data business.

Encryption

In transit

TLS 1.2+ enforced on all connections. HTTPS required for all API and web traffic. HSTS enabled.

At rest

AES-256 encryption for all stored data including molecular inputs, results, and audit logs. Encryption keys managed via AWS KMS.

Data retention

Pilot data: Retained for evaluation period + 30 days, then purged. Custom agreements available.
Production data: Retained per your subscription tier’s policy. Configurable retention periods on Enterprise plans.
Deletion: Available on request. Automated retention jobs produce deletion certificates for audit purposes.
Audit logs: Append-only. Retained per compliance requirements. Not subject to user-initiated deletion.

Infrastructure & deployment

Cloud infrastructure

Provider: Amazon Web Services (AWS)
Default region: US (us-east-1)
EU residency: Available on Enterprise plans (eu-west-1)
Backups: Automated daily backups with point-in-time recovery

Tenant isolation

Logical tenant isolation enforced at database level
Separate compute contexts per customer
No cross-tenant data access — enforced by org_id foreign keys
Dedicated infrastructure available on Enterprise plans

Authentication & access control

Capability	Pilot	Team	Enterprise
Email / password	✓	✓	✓
SSO (SAML 2.0 / OIDC)	—	—	✓
Multi-factor authentication	—	✓	✓
Role-based access control	—	✓	✓
Service accounts + API keys	—	✓	✓
Audit logging	Basic	✓	Full

Role-based access control

Six predefined roles with principle-of-least-privilege defaults:

Scientist — Run computations, view results
Analyst — View results, export data
OrgAdmin — Manage users, roles, org settings
SecurityAdmin — Audit logs, access policies
BillingAdmin — Usage, billing, quotas
SystemAdmin — Platform superuser (cross-org)

Session management

JWT-based authentication with short-lived access tokens
Refresh token rotation on every use
Automatic session expiration
Forced logout on password change

Audit logging

Append-only, tamper-evident event log
All authentication, authorization, and data access events recorded
Exportable for external SIEM integration

API security

Authentication

API key authentication with per-key scoping and rotation support. Service accounts for programmatic access with configurable permissions.

Rate limiting

Per-user and per-organization rate limits. Configurable thresholds on Enterprise plans. PostgreSQL-backed with Redis-ready upgrade path.

Input validation

All API inputs validated via Pydantic schema enforcement. Malformed requests rejected before reaching compute. Structured error responses.

Transport

All API traffic over HTTPS (TLS 1.2+). HTTP requests redirected. No unencrypted API access permitted.

Compliance & governance

Framework	Status	Details
SOC 2 Type 2	In progress	Roadmap and controls documentation available on request
ISO 27001	Planned	Targeted after SOC 2 completion
GDPR	Aligned	Data processing agreement available. EU data residency on Enterprise plans.
FDA 21 CFR Part 11	Documentation available	Alignment documentation provided for Enterprise customers on request
HIPAA / BAA	Case-by-case	Available for Enterprise customers handling PHI

Security questionnaires

We complete standard vendor security questionnaires (SIG Lite, CAIQ, custom). Contact security@fluxmateria.com to initiate the process.

Incident response

Response procedures

Defined incident classification and escalation procedures
Designated incident response team
Post-incident review and remediation process

Breach notification

72-hour notification for GDPR-relevant incidents
Direct notification to affected customers
Root cause analysis and remediation timeline provided

Security questions?

We welcome security assessments during pilot and procurement discussions. Contact our security team for documentation, questionnaire completion, or technical architecture details.

Contact Security Team Request Pilot Access

Security you can evaluate.