HOW LOXEAI WORKS

ARCHITECTURE

The open-source scanner runs as a stateless Cloudflare Worker. Each scan request creates short-lived AWS credentials via STS AssumeRole, performs evidence collection, and exits. Scan state lives in Cloudflare D1 (SQLite at the edge) for 30 days, then gets deleted automatically. Generated reports are stored in R2 object storage.

No VM. No container. No persistent process. Stateless by design. We chose this architecture so the absence of persisted credentials is verifiable. Short-lived sessions, edge storage, and open code let an auditor reproduce the exact calls and verify results independently.

HOW A SCAN RUNS

1. 01You POST an IAM Role ARN and ExternalId to the Worker.
2. 02The Worker calls STS AssumeRole for short-lived session credentials (1-hour TTL).
3. 03Evidence collection fans out across AWS services using SigV4-signed requests.
4. 04Evidence items are written to D1, chunked per scan.
5. 05An open-source reasoning model analyzes each control with a structured prompt and a strict JSON output contract.
6. 06The report is assembled from control results and stored in R2.
7. 07Evidence data is deleted automatically after 30 days unless you remove it earlier.

Evidence collection fans out in parallel (12 concurrent) across services and regions. Free-tier scoring is fully deterministic: same evidence always produces the same scores, no model involved. To prevent abuse, the free tier is strictly rate limited to 5 scans per day (UTC). Paid analysis runs each control through Claude independently via Cloudflare Queues, 12 messages in parallel, assembled into a final report when all complete.

Long-lived AWS credentials are never retained. The role is read-only. Nothing is installed in your account beyond the read-only role created from the CloudFormation template.

EVIDENCE COLLECTION

All AWS API calls are SigV4-signed. Calls run in parallel with a concurrency cap to avoid rate limits. Raw responses (XML or JSON) are truncated for analysis context windows when necessary, but CRITICAL-severity findings are always preserved. Each response is stored as a discrete evidence item with its source endpoint, timestamp, and SHA-256 content hash.

Additional services include KMS, GuardDuty, SecurityHub, Secrets Manager metadata, WAF, RDS, Lambda, and SSO.

CONTROL MAPPING

Mapping from evidence to SOC 2 Trust Services Criteria is deterministic. The same evidence set always produces the same control mapping. This mapping is implemented as hand-coded checks and rule tables, updated as API coverage expands.

Because the mapping is deterministic, every gap finding traces directly to a specific API call and response field. The evidence shows the exact API call and value that triggered the finding.

SCORING

Two scores are computed for each scan. Both are 0–100. Neither maps to a binary “audit-ready” claim.

GAP SCORE

Percentage of checkpoints meeting their thresholds, weighted by severity of failing findings:

FRESHNESS SCORE

Recency of the evidence underpinning the analysis. Inputs: IAM access key age vs 90-day rotation policy, credential last-used dates, CloudTrail log delivery recency, Config rule last-evaluation timestamps. Below 70 indicates configurations that auditors commonly flag for staleness.

The free-tier heuristic score is a directional estimate. The per-control paid analysis may identify additional findings the heuristic rules miss, particularly where IAM permission gaps prevented evidence collection. Scores between the two tiers will differ. This is expected, not an error.

TRACEABILITY

Every finding in the paid report is anchored to the evidence that produced it. Each evidence item carries:

• The exact AWS API endpoint called (e.g. iam.amazonaws.com/GetAccountSummary)
• The request timestamp in ISO 8601 UTC
• The raw response body (truncated if over 50KB, but CRITICAL findings are never truncated)
• A SHA-256 hash of the evidence item for tamper-evidence
• The AWS region the call was issued against

Because the scanner is open-source, an auditor can clone the repo, point it at their client's account, run the exact same calls, and verify that our evidence matches what they collect independently. The hash creates a chain of custody between the raw response and the finding that cited it. This is why the scan is open-source. Not a values statement, a trust mechanism. You can check our work because the work is checkable.

REQUIRED PERMISSIONS

The CloudFormation template grants two AWS managed policies: SecurityAudit and ReadOnlyAccess. Together these cover the majority of what the scanner needs.

INCLUDED IN THE TEMPLATE

• IAM: password policy, users, roles, policies, credential report, MFA devices
• CloudTrail: trails, event selectors, trail status
• AWS Config: configuration recorders, delivery channels
• EC2 / VPC: security groups, VPCs, instances, flow logs
• CloudWatch: alarms
• KMS: key list and rotation status
• SecurityHub: hub status, findings, enabled standards
• GuardDuty: detector list
• WAF: web ACL list
• SNS: topics and subscriptions
• Secrets Manager: secret metadata only (never values)
• SSO: instance list

REQUIRES MANUAL ADDITION

• RDS — DescribeDBInstances, DescribeDBSnapshots, DescribeDBClusterSnapshots require AmazonRDSReadOnlyAccess. Without it, CC9.2 (Business Continuity) cannot be assessed.
• Config rules — config:DescribeConfigRules may be blocked depending on your account configuration. Affects CC7.1 and CC5.2.
• CloudWatch metrics — cloudwatch:ListMetrics is not in SecurityAudit. Affects CC7.3 anomaly detection scoring.

YOUR DATA & DELETION

Here is exactly what we store, where, and for how long, with no buried clauses.

WHAT WE NEVER STORE

AWS credentials, secret values, application data, customer data, code, or anything your application stores about your users. The IAM role sessions are 1-hour TTL and are never persisted after the scan completes.

DELETE ANYTIME

Every scan page has a “Delete all my scan data” button. One click wipes all D1 rows and R2 objects for that scan immediately: evidence, report, edits, access log, everything. No email required. Payment records remain with Stripe as required by law but contain no scan data.

DESIGN PARTNER PLATFORM

For the paid platform, the storage layer differs from the open-source scanner:

• Evidence is stored in an isolated, org-scoped Postgres workspace rather than Cloudflare D1
• Reports are stored in S3 (private, authenticated access only) rather than R2
• Retention is configurable per org rather than a fixed 30-day auto-delete
• Gideon receives only an anonymized findings summary for the session. No account IDs, ARNs, or raw evidence. Session context is discarded when the session ends
• The access log and deletion guarantee carry over: org owners can see all data access, and data deletion is available on request

Same third-party list: Stripe for payments, Anthropic's Claude API for analysis. Neither receives your AWS account ID or org name.

AWS ONBOARDING

Setting up your AWS account on the Design Partner platform takes about five minutes. Here is what happens at each step:

1. 01Add AWS Account: enter your AWS account ID in the Loxe dashboard.
2. 02Loxe generates an ExternalId and a pre-filled CloudFormation URL specific to your org.
3. 03You deploy the CloudFormation stack in your AWS console. It creates a read-only IAM role with SecurityAudit and ReadOnlyAccess policies.
4. 04Back in Loxe, paste the Role ARN from the CloudFormation output.
5. 05Loxe validates the role via STS AssumeRole. If it succeeds, your account is connected.

Sessions are temporary. Credentials are never stored. The role can be deleted from your AWS account at any time without affecting your Loxe workspace.

SCAN PIPELINE

Paid scans are asynchronous. When you trigger a scan, it progresses through four stages, each visible in the Live Trust Pipeline UI:

Workers run in isolation per scan. Each stage completes before the next begins. The pipeline is the same stateless Worker architecture as the free tier, extended with persistent storage and org-scoped workspaces.

WORKSPACE & RBAC

The paid tier is org-first. Every organization gets an isolated workspace. Access is controlled by five roles:

GIDEON

Gideon is a compliance co-pilot scoped to SOC 2, AWS security, audit evidence, and remediation workflows. It is not a general chatbot.

When you're on an asset detail page, Gideon has access to your org context and evidence. Ask it how to explain a finding to your auditor, and it gives you the words with the evidence attached. Ask it to help draft a policy, and it works from your actual scan results.

• Policy writing, vendor risk, HR controls, client onboarding
• Answers in context of your actual scan results
• Cannot modify infrastructure or run scans
• Guardrails block out-of-scope and prompt injection attempts

REMEDIATION QUEUE

Findings from scans generate remediation items with severity, assignee, status, and linked evidence. The workflow:

Each remediation item links back to the evidence ID that triggered it. When you re-scan, the delta shows which items improved, regressed, or stayed the same.

REPORTS

Three report formats are available. All downloads are authenticated. There are no public URLs.

MULTI-ACCOUNT

The paid platform supports multiple AWS accounts per organization. Each account is onboarded and scanned independently. Results are aggregated across accounts in the org dashboard.

CUSTOM CONTROLS

Custom controls let you encode your own compliance requirements as deterministic checks, running on the same SHA-256-verified evidence pipeline as built-in controls.

HOW TO CREATE ONE

1. 01Describe what you want checked in plain English.
2. 02Gideon drafts a structured control definition.
3. 03Backend validates it against the supported check catalog.
4. 04Saved controls run on every future scan automatically.

KEY GUARANTEES

• Gideon assists in authoring. The rules engine does the evaluation. No LLM is involved in the pass/fail decision. Custom controls are deterministic, not AI-judged.
• Custom controls appear in the audit package identically to built-in controls: same evidence IDs, same SHA-256 chain, same traceability.
• The backend rejects check keys not in the supported catalog, so arbitrary logic cannot be injected.

API TRACEABILITY

Every evidence item carries: the exact AWS API endpoint called, request timestamp in ISO 8601 UTC, raw response body (truncated if over 50KB, but CRITICAL findings are never truncated), SHA-256 hash of the evidence item, and the AWS region the call was made against.

The chain goes: AWS API call → raw response stored → SHA-256 hashed → finding cites specific evidence ID → report references that finding. Every link in that chain is verifiable.

The open-source scanner means an auditor can clone the repo, run the same calls against the same account, and verify that Loxe's evidence matches what they collect independently. The hash is the chain of custody.

For the paid platform: evidence IDs are stable within a scan, so Gideon citations and remediation items reference the same IDs that appear in the downloaded JSON report. A developer integrating with the JSON export can cross-reference findings back to raw API responses by evidence ID.

PRIVACY POLICY

WHAT WE COLLECT (OPEN-SOURCE SCANNER)

Scan input: Your IAM Role ARN, ExternalId, and organization name. Required to perform the scan and label the report.

Evidence data: AWS API responses collected during the scan: IAM configuration, CloudTrail settings, S3 bucket metadata, VPC configuration, and similar infrastructure metadata. This is infrastructure metadata, not your application data, customer data, or secret values.

Report content: The analyzer output, findings, gap scores, and remediation recommendations derived from the evidence.

Edits: If you mark findings as resolved or edit finding text in the workspace, those edits persist across sessions.

WHERE WE STORE IT

Open-source scanner data lives in Cloudflare's infrastructure: D1 for scan metadata, evidence, and analysis; R2 for report files. We do not use third-party analytics, session replay, or advertising networks.

RETENTION

WHAT WE DO NOT TOUCH

• Application data, database contents, S3 object contents, or file contents
• Customer data: anything your application stores about your users
• Secret values: Secrets Manager values, SSM Parameter Store values, environment variables
• Code: repository contents, Lambda function code, or container images
• Financial data: billing records, cost data, or payment methods

AWS ACCESS

Access is via STS AssumeRole with your ExternalId. Credentials are session-scoped (1-hour TTL) and are not stored. The Worker assumes the role, runs the scan, and the session expires. The IAM role our CloudFormation deploys is scoped to SecurityAudit and ReadOnlyAccess, with explicit denies around secret values. All API calls use TLS 1.3 and are SigV4-signed.

DESIGN PARTNER PLATFORM

The design partner platform provides customized end-to-end workflows tailored directly to your organization. Unlike the free tier, it maps over 40 AWS services (including ECS, EKS, RDS, SQS, SNS, KMS, and more) — not just the core CC controls. It integrates Gideon, our native AI compliance co-pilot, to help you resolve issues dynamically.

Authentication is secured via enterprise-grade RBAC (Role-Based Access Control) using SSO, guaranteeing that only authorized members of your workspace can access scan data. We read resource configurations; we do not write, modify, or delete anything in your account.

Evidence data is stored in an isolated, org-scoped workspace. Evidence is never shared across organizations. Gideon receives only an anonymized summary of findings for the duration of a session, without account IDs, ARNs, or raw evidence, and that context is destroyed immediately when the session ends. We do not sell, share, or train on your data.

YOUR RIGHTS

• Access: Your scan data is yours. Download your full evidence package — HTML report, raw JSON, or CSV — directly from the Evidence Tracer at any time. No request needed.
• Deletion: Use the delete control on any scan to remove it immediately. Evidence records are deleted on demand. Report artifacts auto-delete after 30 days regardless. To delete your entire org workspace, contact us from your registered account email — we verify against the account record and confirm deletion without sending your data anywhere.
• Blacklisting: Specific AWS resources can be excluded from future evidence collection using the blacklist controls in Settings. Exclusions are logged and reversible.
• Portability: Every scan produces a full JSON export — raw evidence, API traces, SHA-256 hashes, control results. It is a complete, self-contained record you can take anywhere.
• Audit log: Every data access, scan, report download, Gideon query, and org change is recorded in the Full Logs view. You can see exactly what happened and when.

• Full audit log per org (every action timestamped with actor, entity, resource, status — EVIDENCE_BLACKLISTED, SCAN_COMPLETED, etc.)
• Evidence blacklist: users can blacklist and un-blacklist specific resources themselves (the log shows EVIDENCE_BLACKLIST_REMOVED and EVIDENCE_BLACKLISTED as self-serve operations)
• Scan artifacts: HTML, JSON, CSV export directly from the Evidence Tracer — user downloads their own data without you touching it
• Artifact retention: 30 days for report artifacts, evidence records persist until an authorized member deletes them
• Settings page shows "Open scan reports" and blacklist review as direct self-serve controls

We do not sell data. We share with third parties only when necessary to operate the service (Stripe for payment processing, Claude API for analysis).

COOKIES

WHAT WE USE

• loxeai.token.[scanId] — localStorage (not a cookie): holds your download token after purchase. Cleared when you clear browser storage.
• loxeai.external_id — localStorage: persists your ExternalId so you don't regenerate it every visit.
• lxa_ck — Session preference cookie: remembers you dismissed the consent banner. 1-year expiry. Contains no tracking data.

WHAT WE DO NOT USE

• Google Analytics, Mixpanel, Amplitude, or PostHog
• Facebook Pixel, LinkedIn Insight Tag, or Twitter conversion tracking
• Advertising network cookies
• Session replay tools (Hotjar, FullStory, etc.)
• Cross-site tracking

YOUR CONTROL

Clear localStorage and cookies in your browser at any time. The scan form still works, but you'll need to re-enter your ExternalId and dismiss the banner again.