Security
Last Updated: February 6, 2026
At LicenseIQ, security is foundational to our platform architecture, not an afterthought. We handle sensitive business data including software contracts, licensing costs, vendor relationships, and employee information. This page describes the security controls, practices, and certifications that protect your data.
Architecture Security
Multi-Tenant Isolation
Every customer’s data is isolated at the database level through Row-Level Security (RLS). Every database query is automatically filtered by your company identifier, ensuring no customer can access another customer’s data under any circumstances. This isolation is enforced at the PostgreSQL level, providing a mathematically provable boundary between tenants.
Defense in Depth
Our security model implements multiple layers of protection:
- Network Security: AWS VPC with private subnets, security groups, and network ACLs.
- Application Security: Input validation on all endpoints using Pydantic schemas, rate limiting to prevent abuse, and CORS policies restricting cross-origin access.
- Data Security: Encryption at rest (AES-256) and in transit (TLS 1.2+), with secure credential storage through AWS Secrets Manager.
Authentication and Access Control
Authentication
LicenseIQ uses JWT (JSON Web Token) authentication with short-lived access tokens (15-minute expiry) and longer-lived refresh tokens (7-day expiry). Passwords are hashed using bcrypt via the passlib library. The platform enforces strong password requirements and supports secure session management.
Role-Based Access Control
Four permission tiers control access throughout the platform:
- Admin: Full access to all features, data, and settings.
- Manager: Department-scoped access; can approve requests within their team.
- HR: User management and onboarding capabilities.
- Employee: View own data and submit access requests.
Each API endpoint enforces role-based permissions, ensuring users can only access data and actions appropriate to their role.
Compliance
SOC 2 Type II
LicenseIQ implements the controls required for SOC 2 Type II certification, including comprehensive audit logging of all data access and modifications, access controls and authentication mechanisms, change management procedures, and incident response protocols. All user actions are logged with identity, timestamp, action type, and affected entities.
GDPR
We provide full GDPR compliance capabilities built directly into the platform:
- Data Subject Access Requests (DSAR) can be submitted and processed through our API.
- Right to Erasure (“right to be forgotten”) is supported with cascading soft deletes.
- Data Portability is available through JSON and CSV export endpoints.
- Consent Management is tracked with timestamps and purpose specification.
- PII Detection and masking services automatically identify and protect sensitive data.
AI Security
Our AI architecture includes specific security measures for artificial intelligence operations:
- All AI tool executions require two-phase confirmation for write operations, preventing unintended modifications.
- Company Data sent to AI providers (Anthropic, OpenAI) is transmitted over encrypted connections and is not used to train provider models under our API agreements.
- AI-generated recommendations are informational and require human approval before execution of any data-modifying actions.
- Conversation context is isolated per company through our multi-tenant memory system.
Infrastructure Security
LicenseIQ runs on Amazon Web Services (AWS) infrastructure, leveraging AWS’s world-class physical and network security:
- ECS Fargate: Serverless container orchestration (no server management surface).
- RDS PostgreSQL: Automated backups and encryption.
- ElastiCache Redis: Caching with encryption in transit.
- S3: Server-side encryption for document storage.
- CloudWatch: Centralized logging and monitoring.
- Secrets Manager: Secure credential storage.
All infrastructure is defined as code (Terraform), ensuring reproducible, auditable deployments.
Monitoring and Incident Response
We maintain 24/7 monitoring of platform health, security events, and anomalous activity. Our monitoring stack includes application health checks, performance metrics, error rate tracking, and security event logging. Our incident response process follows established procedures for identification, containment, eradication, and recovery, with communication protocols for notifying affected customers.
Vulnerability Management
We conduct regular dependency audits and keep all libraries and frameworks updated. Our CI/CD pipeline includes automated security checks. We welcome responsible disclosure of security vulnerabilities and can be reached at security@licenseiq.net.
Data Handling Practices
- Encryption at Rest: All data stored in our databases and object storage is encrypted using AES-256 encryption managed by AWS.
- Encryption in Transit: All data transmitted between your browser and our servers, and between our internal services, is encrypted using TLS 1.2 or higher.
- Backup and Recovery: Automated daily database backups with point-in-time recovery capability. Backups are encrypted and stored in a separate AWS region.
- Data Deletion: When you delete data or close your account, we permanently remove your Company Data within 30 days. Audit logs may be retained for compliance purposes.
Contact
For security inquiries, vulnerability reports, or to request our detailed security documentation:
Email: security@licenseiq.net
For urgent security issues, include “URGENT” in the subject line.