Security Architecture@endsection Built for CISO-grade procurement review@endsection 1.0@endsection Security Architecture — Headx Monitor
HomeTrust & Security
SECURITY ARCHITECTURE

Components, data flows, deployment models, encryption, access controls, threat model, compliance alignment, and operations — in enough technical depth to attach to CAIQ, SIG, or customer-specific security questionnaires.

TLS 1.3 in transit AES-256 at rest India data residency 99.9% uptime SLA ISO 27001 in progress SOC 2 in progress DPDP aligned
Request artefacts (NDA) Save as PDF Contact security
Last updated May 17, 2026 IST · Document version 1.0 · Reviewed quarterly
Encryption
TLS 1.3 · AES-256
KMS-managed keys, quarterly rotation
Hosting
AWS Mumbai
ap-south-1 · or self-hosted On-Prem
Authentication
JWT + MFA
bcrypt · TOTP / SMS · 24h tokens
Authorisation
RBAC 5 roles
Custom roles · row-level scoping
Audit logging
Every privileged action
3-7 year retention · SIEM export
Incident response
72-hour notify
CERT-In · DPDP-aligned

1 Executive summary

Headx Monitor is delivered in two forms: Cloud (SaaS) hosted in AWS Mumbai (ap-south-1), and On-Premise deployed inside the customer's own infrastructure with no data leaving the customer perimeter. The platform consists of a code-signed Windows endpoint agent, a Node.js / Express backend API with a real-time Socket.io command channel, and a Laravel 12 administrative dashboard backed by MariaDB.

Security posture at a glance

ControlImplementation
Data in transitTLS 1.3, HSTS, pinned-certificate agent communication
Data at restAES-256 (AWS KMS for Cloud; customer-managed for On-Premise)
AuthenticationJWT bearer tokens, tenant header, bcrypt passwords, TOTP / SMS MFA
AuthorisationRBAC with 5 default roles + custom-role support
Audit loggingEvery privileged action; immutable-storage option; SIEM export
Network isolationMulti-tenant SaaS with subdomain isolation; Cloudflare WAF + DDoS
Endpoint securityEV-signed MSI, tamper-resistant service, signed agent ↔ backend channel
Compliance alignmentIT Act 2000, IT Rules 2011, DPDP Act 2023, RBI / IRDAI / SEBI
CertificationsISO 27001:2022 In progress · SOC 2 Type 2 In progress

2 System architecture overview

2.1 Trust zones

Four distinct trust zones separated by TLS-terminated boundaries:

  • Endpoint zone — Windows workstations running the Headx agent
  • Customer perimeter zone — path from endpoint to Cloudflare (Cloud) or fully internal (On-Premise)
  • Headx Cloud zone — AWS Mumbai infrastructure; ingress / egress via Cloudflare + Apache
  • Sub-processor zone — third-party services receiving operational metadata only, never customer activity data

2.2 Data flows

FlowDirectionTransportAuth
Agent heartbeatAgent → BackendHTTPS POST 60sBearer + tenant
Activity batchAgent → BackendHTTPS POST 30–120sBearer + tenant
Screenshot uploadAgent → BackendHTTPS multipartBearer + tenant
Real-time commandBackend → AgentWebSocketPersistent bearer
Dashboard queryBrowser → LaravelHTTPSSession + CSRF
Backend queryLaravel → Node.jsLocalhost / TLSInternal JWT
DB readApp → MariaDBSocket / VPC-privateSecrets store

Long-lived bearer tokens have a maximum lifetime of 24 hours; agents auto-rotate.

3 Deployment architectures

3.1 Cloud (SaaS) AWS Mumbai

No production data replicated outside India.

  • EC2 in private subnets, ELB-fronted, auto-scaled per tenant load. No public IPs on application instances.
  • EBS for application data, S3 for screenshot blobs (AES-256 server-side encrypted, lifecycle-managed)
  • Managed MariaDB, encrypted at rest, daily automated backups, point-in-time recovery
  • Cloudflare WAF + DDoS in front of every endpoint; rate limiting per tenant
  • DNSSEC enabled

Tenant isolation: X-Tenant-ID header enforced in every backend route; database row-level isolation via company_id column scoped at the ORM layer; Cloudflare hostname routing for customer subdomains; tenant-prefixed storage paths.

3.2 On-Premise Air-gap supported

Recommended for BFSI, healthcare, government, and any customer subject to strict data-residency requirements.

  • Single Windows or Linux server hosts the application stack
  • All customer data stays on the customer-owned server
  • No telemetry, no phone-home, no Headx-side data collection unless the customer enables update-checks
  • Air-gapped deployments fully supported; update packages delivered via signed archive
  • Customer-managed encryption keys via OS-level KMS (Windows DPAPI, Linux LUKS / Vault)

Headx engineers access On-Premise systems only via customer-initiated screen-share. We hold no copy of customer data.

4 Identity & access management

4.1 Customer-side authentication

  • Password storage — bcrypt, cost factor 12, salted per user
  • Sessions — HTTP-only secure cookies, SameSite=Lax, CSRF tokens on every state change
  • MFA — TOTP and SMS available; enforceable per company
  • Session timeout — 4 hours default, configurable to 15 minutes
  • Account lockout — 5 failed attempts → 15-minute lockout
  • SSO — Azure AD / Okta SAML 2.0 Q3 2026

4.2 Role-based access control

Five default roles: Super Admin, Admin, Manager, Auditor, Viewer. Custom roles can be defined per company with granular permissions across 40+ permission keys.

4.3 Headx-side privileged access

Headx employees have zero default access to customer data. Operational access requires customer-raised ticket, SSO + hardware-key MFA, time-boxed access (auto-revoked after support), full session recording, and audit log shared with the customer. Background-verified employees only. Quarterly access reviews.

5 Data protection

5.1 In transit

  • TLS 1.3 on all customer-facing endpoints; TLS < 1.2 and weak ciphers disabled
  • HSTS enforced: max-age=31536000; includeSubDomains
  • Certificate pinning in the Windows agent — rejects unexpected chains
  • Internal service-to-service over TLS or localhost-only

5.2 At rest

  • Database AES-256 at the volume layer; column-level encryption on sensitive columns (PAN, Aadhaar fragments, hashed API keys)
  • Screenshot blobs: AES-256 server-side on S3 (Cloud) or filesystem-level (On-Premise)
  • Backups AES-256 with separate KMS keys
  • Secrets in AWS Secrets Manager (Cloud) or HashiCorp Vault / .env outside webroot (On-Premise)

5.3 Key management

  • AWS KMS-managed keys with automatic annual rotation
  • BYOK supported for On-Premise via standard OS keystores
  • JWT signing keys rotated quarterly; previous keys retained for grace-period validation
  • Database credentials never in source control; injected at runtime via secrets manager

6 Network security

  • Cloudflare — WAF tuned for OWASP Top 10; rate limiting per IP and per tenant; DDoS Layer 3-7
  • Apache reverse proxy — TLS termination, security headers (X-Frame-Options, X-Content-Type-Options, CSP, Referrer-Policy)
  • Server firewall — only 80 / 443 / 22 (key-only SSH) externally; all internal-service ports bound to localhost
  • SSH — public-key only; password authentication disabled; fail2ban active
  • VPC isolation — application instances in non-public subnets; no peering with non-Headx VPCs
  • Egress controls — application instances allowed only to known sub-processor endpoints

7 Endpoint agent security

Binary integrity

  • Agent MSI signed with an Extended Validation (EV) code-signing certificate
  • SHA-256 fingerprints published for AV whitelisting
  • Submitted to Microsoft Defender, CrowdStrike, Trend Micro, Symantec, McAfee, Kaspersky, SentinelOne

Runtime & communication

  • Windows service under a dedicated low-privilege account
  • Uninstall requires admin privilege and is audit-logged
  • HTTPS with pinned certificate; bearer token scoped to enrolled company; HMAC payload signing
  • Replay protection via timestamped requests
  • Offline encrypted queue; flushes when connectivity restored

Telemetry transparency

  • System-tray icon during active sessions
  • Consent prompt on first run; consent stored locally and confirmed with backend
  • User can pause monitoring during scheduled break windows (where customer policy enables)

8 Application security

Secure SDLC

  • Every commit via pull request; production merges require approving review
  • Static analysis (PHPStan, ESLint + SonarJS, Roslyn analyzers)
  • SCA on every dependency update; SLA on critical CVEs 24h, high 7d
  • Annual external penetration test by CERT-In-empanelled firm
  • Quarterly internal red-team exercises against staging

OWASP Top 10 mitigations

RiskMitigation
Broken access controlTenant guard middleware on every API route; row-level ORM scoping
Cryptographic failuresTLS 1.3, AES-256, bcrypt, no proprietary crypto
InjectionParameterized queries, input validation, output encoding
Insecure designSTRIDE threat modelling on every major feature
MisconfigurationHardened base images; secrets in vault; IaC reviewed
Vulnerable componentsDependabot + Snyk with CVE-driven patch SLAs
Auth failuresbcrypt, MFA, rate-limiting, lockouts, session timeouts
Software integrityCode-signed agent; signed update packages
Logging & monitoringCentralised aggregation; SIEM export; anomaly alerting
SSRFOutbound egress allowlist; no user-controlled URLs server-side

9 Threat model (STRIDE)

CategoryAssetMitigation
SpoofingCustomer admin accountMFA, anomalous-login UEBA, session tying
SpoofingEndpoint agent identityPer-agent enrolment key, signed channel, HMAC
TamperingActivity logsAppend-only logs; daily integrity hashes; SIEM forwarding
TamperingAgent binaryEV-signed MSI; runtime integrity check; missing-heartbeat detection
RepudiationAdmin actionsEvery action audit-logged with ID, IP, before/after state
Information disclosureCross-tenant dataTenant guard on every request; row-level scoping; integration tests
Information disclosureScreenshot URLsSigned short-lived URLs (15 min) with tenant ID + HMAC
DoSBackend APICloudflare DDoS; rate limiting per IP and per tenant token
DoSAgent telemetryPer-agent rate limits; agent circuit breaker
Elevation of privilegeCustomer userRole-change requires super-admin reconfirmation; audit-logged
Elevation of privilegeHeadx employeeZero default access; time-boxed; session recording; quarterly review

10 Compliance & standards

India statutory

  • IT Act 2000 (and 2008 amendment) — Section 43A reasonable security practices
  • IT Rules 2011 — consent, notice, retention, breach reporting
  • DPDP Act 2023 — granular consent, data-principal rights, Grievance Officer see status

Sector frameworks (aligned)

  • RBI Master Direction on Outsourcing of IT Services (Apr 2023); Cyber Security Framework for Banks (Jun 2016)
  • IRDAI Information and Cyber Security Guidelines (2017, current)
  • SEBI Cybersecurity and Cyber Resilience Framework (Aug 2022)

International standards

StandardStatusTarget
ISO 27001:2022 Stage 2 audit in progressQ2 2026 details
SOC 2 Type 2 Observation windowQ3 2026
GDPR DPA availableNow
HIPAA BAA availableNow
PCI DSSOut of scopeCardholder data handled by Cashfree / Razorpay
We do not claim certifications we have not yet earned. Interim attestations and audit timelines available under NDA.

11 Operations & incident response

Detection

  • 24×7 monitoring of infrastructure, application, and security events
  • Centralised log aggregation with anomaly detection
  • Alerting on failed-login spikes, privilege escalations, unusual egress, off-window changes, sub-processor outages

Response SLAs

PhaseSLA
Detection to confirmation1 hour (high-severity)
Containment2 hours of confirmation
Customer notification72 hours (DPDP alignment)
Public disclosure30 days post-resolution if customer data affected
Post-mortem30 days to affected customers

Regulator notification

  • CERT-In — within 6 hours per 28 April 2022 directive
  • Data Protection Board of India — per DPDP Act 2023 Section 8(6) (once Board is constituted)
  • Sector regulators — RBI / IRDAI / SEBI timelines honoured for relevant customers

12 Sub-processors

Sub-processorPurposeData accessedLocation
Amazon Web ServicesCompute, storage, databaseAll customer data encryptedMumbai (ap-south-1)
CloudflareCDN, WAF, DDoSTraffic metadata onlyGlobal edge
Cashfree PaymentsSubscription billingCustomer billing detailsIndia
RazorpayAlternative billingCustomer billing detailsIndia
Postmark / ResendTransactional emailEmail addresses + bodyUS (minimised)
SentryError monitoringStack traces (PII scrubbed)US
On-Premise customers have zero sub-processors — all data flows are inside the customer's own infrastructure.

13 Audit logging

Every admin login (success / failure with IP, user agent, geolocation), every privileged operation, every access by Headx personnel, every configuration change, every sub-processor data flow (metadata).

  • Retention — 3 years default; configurable up to 7 years for regulated customers
  • Storage — immutable storage (S3 Object Lock for Cloud)
  • Tamper-detection — daily integrity hashes
  • SIEM export — JSON, CEF, syslog (RFC 5424). Forwarders for Splunk, Sentinel, Elastic, QRadar.

14 Business continuity & disaster recovery

Cloud

MetricValue
Recovery Time Objective (RTO)4 hours for major incidents
Recovery Point Objective (RPO)1 hour (WAL + hourly snapshots)
Backup strategyDaily full + hourly incremental; cross-AZ within ap-south-1; 30-day retention
FailoverMulti-AZ with automatic DB failover; instances auto-replaced
DR rehearsalSemi-annual full-restore test
SLA99.9% uptime measured monthly

On-Premise

Customer-owned backup strategy. Headx provides tooling and documentation. Quarterly DR rehearsal recommended; available on paid engagement.

15 Vulnerability management

Internal

  • Continuous SAST on every commit
  • Daily SCA dependency scans
  • Monthly internal vulnerability scans (staging)
  • Quarterly internal vulnerability scans (production)
  • Annual external penetration test (CERT-In empanelled firm)

Responsible disclosure

Report vulnerabilities to security@headx.in. Acknowledgement 4 hours (24×7); confirmation 48 hours; patch SLA: critical 24h, high 7d, medium 30d, low 90d. Bug bounty available case-by-case for responsibly disclosed high-severity issues.

16 Data subject rights & deletion

RightHow to exerciseSLA
Right to knowprivacy@headx.inAck 48h, fulfil 30d
Right to correctionprivacy@headx.inAck 48h, fulfil 30d
Right to erasureprivacy@headx.inAck 48h, fulfil 30d (subject to retention)
Right to nominateWritten form on fileHonoured per nomination
Right to withdraw consentSelf-service or via Grievance OfficerImmediate effect

Cloud cancellation: full export window 30 days; production deletion within 90 days; backup deletion within 180 days.

17 Security roadmap

ItemStatusTarget
ISO 27001:2022 certificationIn progressQ2 2026
SOC 2 Type 2 attestationIn progressQ3 2026
SSO (SAML 2.0 — Azure AD, Okta)PlannedQ3 2026
Customer-managed keys (BYOK) for CloudPlannedQ4 2026
FedRAMP-aligned controls (government)Planned2027
Mac and Linux agentPlanned2027
Confidential-compute deployment (AWS Nitro Enclaves)Planned2027

Need detailed audit evidence or a signed DPA?

The full Statement of Applicability, latest penetration-test summary, sub-processor register with annual review records, and pre-filled CAIQ / SIG questionnaires are available under NDA — typically within 24 hours (IST business days).

Request artefacts Talk to sales