Every ProxRad deployment ships with encryption, hardware-bound licensing, fine-grained access control, full audit trails, and high availability — on by default, not as a paid add-on.
Your subscriber data and backups are encrypted at rest with keys you alone control.
Every backup is sealed with AES-256-GCM using a license-derived key. Backup files are unreadable without the key tied to your specific license.
Sensitive database fields are encrypted with a per-customer key issued by the license server, fetched on startup and cached for 24 hours.
Optional full-disk LUKS encryption with a hardware-bound key, protecting the entire server volume against drive theft and offline access.
Lock down who can do what, and stop credential attacks before they start.
Role-based access control with 200+ granular permissions across 39 categories. Give admins, resellers, and operators exactly the access they need.
Stateless JWT sessions backed by a Redis token blacklist, so tokens are invalidated immediately on logout and cannot be replayed.
Two-factor authentication using standard TOTP authenticator apps, with QR-code enrolment for admin and operator accounts.
Progressive lockouts after repeated failed logins, plus per-IP API rate limiting to blunt automated and credential-stuffing attacks.
The platform proves it is genuine, unmodified, and running where it is licensed to run.
Each license binds to the server's hardware fingerprint — a hash of MAC address, motherboard product UUID, and machine ID — so binaries can't be copied to other hardware.
Communication with the license server is certificate-pinned, hardening license validation against man-in-the-middle interception.
Binaries carry a compile-time build date and expire 30 days later, so a stolen or stale binary cannot keep running indefinitely.
A hardened deployment footprint and resilient high-availability architecture.
Nginx fronts the platform with security headers (X-Frame-Options, content-type and related protections) and endpoint-level rate limiting.
PostgreSQL and Redis are bound to localhost and never exposed to the public network — the database and cache are unreachable from outside the host.
Primary/replica HA with PostgreSQL streaming replication and encrypted replication credentials, plus controlled failover for continuous uptime.