Launch Rail Logo
Launch Rail
Security & Compliance

Built for Industries That
Can't Afford to Get It Wrong.

Launch Rail is architected from the ground up for regulated industries. Every microservice ships with immutable audit logging, per-tenant data isolation, end-to-end encryption, and self-hosted deployment — so your compliance team can breathe easy.

SOC 2 Type II ReadyHIPAA Architecture ReadyGDPR CompliantISO 27001 AlignedCCPA Ready

Compliance Framework Coverage

Architecture aligned with the frameworks your enterprise customers, auditors, and procurement teams require.

Architecture Ready

SOC 2 Type II

Immutable Audit Logs, encryption controls, least-privilege IAM, and full OpenTelemetry tracing satisfy the availability, security, and confidentiality trust service criteria for SOC 2 audits.

  • Continuous activity logging via Audit-Log service
  • Role-based access with granular RBAC
  • Encrypted data at rest and in transit
  • Availability monitoring via OTel + alerting
Architecture Ready

HIPAA

PHI-aware data isolation, encryption at rest and in transit, access controls with granular RBAC, and immutable audit trails. Deploy on your own HIPAA BAA-covered AWS or GCP infrastructure.

  • Per-tenant data isolation at every layer
  • Minimum-necessary access enforcement via Authz
  • Immutable access records with actor context
  • Self-hosted on your BAA-covered cloud account
Compliant Architecture

GDPR & CCPA

Per-tenant data residency controls, right-to-erasure workflows, data export APIs, and consent tracking built into the Identity service. Your users' data stays where you tell it to.

  • Data residency controls — deploy in any region
  • Right-to-erasure API endpoints in Identity
  • Consent metadata storage per user
  • Structured data export for portability requests
Aligned

ISO 27001

Information security controls aligned with ISO 27001 Annex A. Access control policies, asset management, incident response hooks, and continuous monitoring via OpenTelemetry.

  • Access control policies enforced at wire level
  • Asset inventory via structured service manifests
  • Incident response hooks via Notifications service
  • Continuous monitoring with OTel metrics + tracing

Security Controls

Security isn't a feature we add later. It's baked into every layer of every service.

Data Protection

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 enforced on all service-to-service communication
  • Envelope encryption with per-tenant key isolation
  • Presigned URLs for time-limited secure file delivery
  • Zero plaintext secrets — vault-integrated key management

Access Controls

  • HMAC-signed caller envelopes on every service request
  • Short-lived JWTs with minimal token surface area
  • Read-your-write consistency tokens in Authz
  • CEL-based fine-grained policy conditions
  • Device session management with revocation APIs

Infrastructure Security

  • Kubernetes NetworkPolicy for pod-level isolation
  • Private VPC — zero public database endpoints
  • Non-root container execution by default
  • Read-only root filesystems in all service containers
  • Automated dependency vulnerability scanning in CI

Data Sovereignty & Deployment

Your data never has to leave your perimeter. Choose the deployment model that fits your compliance requirements.

Self-Hosted

Your Cloud, Your Rules

Deploy on your own AWS or GCP account. Your data never leaves your infrastructure perimeter. Sign your own BAAs, apply your own security policies, and satisfy the most demanding enterprise compliance requirements.

  • Complete data sovereignty
  • Your own BAA-covered accounts
  • Air-gapped deployment option
  • Custom network topology
  • Zero data sharing with Launch Rail

Air-Gapped

For Classified Environments

Full offline deployment for government, defense, and highly regulated industries. Receive a complete, signed source tarball and container images for deployment in completely isolated environments.

  • Offline-capable container images
  • No external network dependencies
  • Signed release artifacts
  • Government & defense ready
  • Custom support SLA available
Immutable Audit Trail

Who did What, Where, When & Why.

The Audit-Log microservice is a high-throughput, tamper-evident ledger designed specifically for compliance use cases. Decoupled from your core application via NATS JetStream, it ingests thousands of events per second without impacting performance.

Every actor action logged with full context

Cryptographically tamper-evident log entries

Structured diffs capturing old/new values

Decoupled via NATS — never bottlenecks your app

Per-tenant strict isolation at query layer

Compliance event streams for SIEM integration

Responsible Disclosure

Found a Security Issue?

We take security seriously and appreciate the work of security researchers. If you discover a vulnerability in Launch Rail, please report it responsibly. We commit to acknowledging reports within 48 hours and providing status updates throughout remediation.

Initial Response

< 48 hours

Patch Target

≤ 14 days (critical)

Credit

Hall of Fame listing

Ready to pass your next security review?

Our team can walk your security and compliance stakeholders through our architecture. Request a detailed security review package or schedule a technical call.