Security & Privacy

Security & Privacy

How CODEX protects data through controlled deployments, European infrastructure, and layered safeguards—without overstating guarantees.

Last updated: 2025-10-11

Security & Privacy

CODEX is designed for sovereign administrative environments—where systems are fragmented, trust is imperfect, and auditability matters. This page describes our security and privacy approach at a practical level. It is intentionally concise.

If a signed agreement exists, the agreement governs in case of differences.

Summary

  • European infrastructure: CODEX runs on raw infrastructure from OVHcloud and Hetzner.
  • Data residency: Data is stored in France or Germany, as specified by the applicable contract and deployment configuration.
  • Deployment control: We operate and harden the stack ourselves—operating systems, network boundaries, application runtime, and encryption at rest.
  • No end-to-end encryption: CODEX does not offer end-to-end encryption. Abyrint can access data when required for operations, support, or legal obligations, subject to strict internal controls.
  • Data minimization: We minimize personal data collection and separate identity from operational records where possible.

Infrastructure and data residency

CODEX runs on dedicated or virtualized infrastructure provisioned from OVHcloud and Hetzner. We use these providers as raw compute and storage. We do not depend on “managed platform” features for core security boundaries.

Where data lives: Production data is stored in France or Germany. The exact region, redundancy model, and any cross-region replication are defined in the contract and deployment scope.

Operational control and encryption

We control the deployment environment end-to-end at the infrastructure and application layers:

  • We provision and harden hosts (OS baseline, patching, minimal services).
  • We control network boundaries (segmentation, inbound restrictions, service-to-service controls).
  • We implement encryption at rest as part of the platform architecture and key handling.

This is different from typical “public cloud defaults”. The security posture comes from direct operational control, not opaque managed services.

Important limitation: CODEX does not provide end-to-end encryption. Encryption protects data in storage and in transit, but the platform must be able to process data to provide functionality.

Access control and administrative boundaries

CODEX is not designed for open public sign-ups. Access is controlled and provisioned.

  • Role-based permissions are used to restrict access to workspaces and functions.
  • Administrative access to production systems is restricted to a small number of authorized Abyrint operators.
  • Support access is controlled and logged. We do not provide broad internal access to customer data by default.

Where feasible, we separate:

  • identity and account metadata (needed for access) from
  • operational workspace content (the data you work with).

Logging, monitoring, and abuse prevention

To protect service integrity, CODEX maintains operational logs for:

  • authentication and session events,
  • abnormal access patterns,
  • service health and error diagnostics.

Logs are designed to avoid storing unnecessary personal data, but some metadata (e.g., IP addresses during authentication and abuse detection) may be processed for security and operational reasons. Retention is limited and governed by operational need and contractual scope.

We apply rate limits and abuse controls to reduce automated attacks and misuse.

Backups and resilience

Backups exist to protect availability and recoverability. Backup handling follows the same residency and access controls as production, within the agreed deployment scope.

Because backups are point-in-time copies, deleted data may persist in backups for a limited period until those backups rotate out, unless the contract specifies a different process.

Privacy: what we collect and why

We aim to collect the minimum needed to operate the service.

Typically, CODEX processes:

  • account identifiers used for access and administration (e.g., email address),
  • security metadata needed to protect sessions and detect misuse (e.g., IP address and device/session information),
  • workspace content provided by users or ingested from authorized sources.

Where the platform generates internal identifiers, we prefer using non-human identifiers for operational linkage rather than repeating personal identifiers everywhere.

We do not sell user data. We do not run ad tracking on CODEX.

Data sharing and third parties

Abyrint is the primary operator of CODEX. Infrastructure providers (OVHcloud and Hetzner) provide the underlying compute/storage facilities.

We may use limited third-party services for narrowly scoped functions (for example, transactional email), depending on deployment configuration. When used, these are selected to align with European residency and contractual requirements.

We do not rely on third-party cloud “black box” security controls for core platform security.

Consulting operations vs CODEX

Abyrint may handle operational data outside CODEX in the course of consulting engagements (documents, internal coordination, client collaboration). That operational handling is separate from CODEX platform controls.

When an engagement uses CODEX as the working environment, CODEX policies and controls apply within the agreed scope.

Security contact

For security or privacy questions related to CODEX, contact the engagement owner or reach us via:

abyrint.com/about/contact