Security FAQ

Provixaa holds delivery governance data — including sprint revenue, cost, margin, leakage, and resource rates. That is commercially sensitive. This page explains how we isolate, protect, and govern access to your data so IT, finance, and leadership can evaluate Provixaa with confidence.

Provixaa implements reasonable technical and organizational measures. No online service can guarantee absolute security; we design for tenant isolation, least-privilege access, and transparent handling of financial fields.

Yes. Provixaa is multi-tenant SaaS with strict tenant isolation. Every business record — clients, programs, projects, baselines, revenue, cost, leakage, invoices, and team assignments — is scoped to your company.

Tenant-level access controls at the application and database layers enforce that authenticated users only read or write data belonging to companies they belong to. One customer cannot query another customer's portfolio through the application.

You control access. A Company Admin invites team members and assigns them to specific governed projects with a delivery role (Delivery Head, PMO, or Project Manager).

Each project has a role sheet — a feature matrix that limits which tabs and actions each role can use (for example dashboards, wizard, leakage, exports). Effective access is the intersection of project plan tier and role permissions.

Company Admins have full governance access for their tenant. Team members only see projects they are assigned to. We recommend starting a pilot with PMO and leadership roles only, then expanding deliberately.

Authentication uses email and password. Sessions are managed with industry-standard server-side session handling; unauthenticated requests to application routes are redirected to login.

Password reset flows use time-limited verification links. We recommend strong passwords and limiting Company Admin accounts to trusted operators.

In transit: all access to Provixaa is over HTTPS (TLS). Browser, API, and authentication traffic is encrypted between your users and our application.

At rest: production data is stored on managed cloud database infrastructure. Encryption at rest is provided by our infrastructure providers as part of their platform security controls.

Provixaa runs on enterprise-grade managed cloud infrastructure for application hosting, database, and authentication services.

If your procurement team requires a specific region or data-residency statement, contact us with your requirements and we will confirm what applies to your deployment.

Provixaa stores operational governance fields you enter: sprint revenue and cost, planned vs actual effort, margin and leakage indicators, fixed-cost commercial snapshots, resource cost rates, and related delivery metadata.

Provixaa is a delivery profitability intelligence layer — it complements your finance and reporting systems; it does not replace statutory accounting or general ledger. You decide how granular revenue figures are at pilot stage.

Most Provixaa intelligence — dashboards, reports, forecasts, and Aria AI Native answers — is computed from your governed project data inside Provixaa without calling external language models.

Aria Conversations (Predictive and Aria Intelligence tiers) sends only scoped project context required to answer your prompt when synthesis is needed. Program dashboards use built-in rollups only.

We do not use your tenant data to train public foundation models. See our AI & Data Policy for full detail on credits, fallbacks, and human review expectations.

No. We do not sell personal or business information. We use infrastructure and service providers (cloud hosting, database, authentication, email, and AI API providers where applicable) who process data on our instructions under appropriate agreements.

We may disclose information if required by law or to protect rights and safety, as described in our Privacy Policy.

Platform operator access is limited to super-admin support scenarios required to operate the service (for example tenant setup, plan approval, or abuse investigation). Day-to-day product use is tenant-scoped through normal user roles.

If your security review requires detail on operator access, subprocessors, or logging, contact us — we can respond to a questionnaire or NDA-backed review.

We retain account and service data while your account is active and as needed to provide the Service and meet legal obligations.

After account closure, we delete or anonymize data within a reasonable period unless law requires longer retention, as stated in our Privacy Policy.

Provixaa is an early-stage SaaS product. We follow cloud-provider security baselines and application-level tenant isolation, but we do not currently hold SOC 2 Type II or ISO 27001 certificates.

If formal certifications or a Data Processing Agreement (DPA) are required for your procurement process, tell us your checklist — we will share what we have today and what is planned.

Start with Launch Trial on one or two governed projects — not your full portfolio.

Assign only PMO, delivery leadership, and finance stakeholders who need to evaluate margin governance.

Use per-project role sheets to restrict exports and sensitive tabs during pilot.

Align internally on the level of revenue detail you enter (aggregated sprint totals vs line-level breakdowns) until you are comfortable with access controls and workflow fit.

For security questionnaires, NDAs, subprocessors lists, or AI/data handling reviews, contact admin@bmc360.io.

Related documents: Terms of Service, Privacy Policy, and AI & Data Policy.