Molixa Forge
Get started

Legal

Security

Last updated:

Security is the first feature, not the last one. This page summarizes how we protect your data, your servers, and your team. Need the full controls catalog? Email security@molixa.app.

AES-256 encrypted credentials

Every SSH key, API token, and secret we handle is encrypted at rest with AES-256-GCM. Keys are rotated quarterly; decryption only happens in the worker that needs it.

2FA + WebAuthn on every account

TOTP is free on every tier. WebAuthn (passkeys, YubiKey) is available on all plans, required for admin actions. Backup codes are generated on enrollment.

CIS benchmark scans

Run the bundled CIS Level 1 benchmark against any managed server with one click. Results are ranked by impact and include remediation commands.

SOC 2 Type II in progress

We are currently in the observation window for SOC 2 Type II with an audit completion date in Q3 2026. Our full controls catalog is available under NDA.

Data residency options

US processing by default. EU-only residency is available on Enterprise agreements, with data stored exclusively in Hetzner FSN1 (Germany).

Pen-test policy

Independent third-party penetration tests are conducted annually. Reports are shared under NDA. Responsible disclosure at security@molixa.app with 90-day embargo.

Encryption in transit and at rest

All traffic between your browser, our control plane, and your servers is protected by TLS 1.2+ with modern cipher suites. Sensitive data at rest uses AES-256-GCM with per-tenant DEKs wrapped by a cloud KMS master key.

Authentication and session security

Accounts use argon2id password hashing with per-user salts and a strict NIST SP 800-63B policy (10-char minimum, HaveIBeenPwned check). Sessions are short-lived JWTs with rotating refresh tokens and per-device revocation.

Access control

Engineers access production only through break-glass procedures with approval, short-lived credentials, and full session recording. Read-only queries against aggregate metrics are permitted without break-glass.

Incident response

We run a 24/7 on-call rotation with PagerDuty routing. Sev-1 incidents are communicated within one hour on the status page and via email to affected customers. Post-mortems are public for customer-facing incidents.

Responsible disclosure

Report vulnerabilities to security@molixa.app. We acknowledge within 24 hours, keep you posted weekly until fixed, and run a modest bug bounty for in-scope reports.

Security | Molixa Forge · Molixa Forge