Security

1. Security Philosophy

Axiomly is built on a security-first, tenant-authoritative design:

• Governance Without Visibility - We enforce your policies without accessing your AI prompts or source code
• Tenant Authority - You control what is approved; we enforce your decisions
• Zero Trust Architecture - Every request is authenticated and authorized
• Fail-Closed Enforcement - If governance checks fail, access is denied by default

2. Platform Security Controls

2.1 Tenant Isolation

Complete data separation between organizations:

• Database-level tenant isolation
• No cross-tenant data access
• Separate audit logs per tenant

2.2 Authentication & Authorization

• Per-User API Keys - Each user has unique, revocable credentials
• SSO Integration - Support for Microsoft Entra ID and other identity providers
• Multi-Factor Authentication - Optional MFA for enhanced security
• Role-Based Access Control - Least-privilege access model

2.3 Enforcement Model

• Fail-Closed - Unapproved items are blocked by default
• Real-Time Validation - Governance checks occur before installation
• Immutable Audit Trail - All decisions are logged and cannot be altered

3. Infrastructure Security

3.1 Cloud Hosting

Axiomly is hosted on Amazon Web Services (AWS), leveraging:

• SOC 2 Type II certified infrastructure
• ISO 27001 compliant data centers
• Geographic redundancy and disaster recovery

3.2 Network Security

• Network segmentation and firewalls
• DDoS protection
• Intrusion detection and prevention systems
• Regular security patching and updates

3.3 Secrets Management

• Encrypted storage of API keys and credentials
• Secure key rotation procedures
• No plaintext secrets in code or configuration

3.4 Monitoring & Logging

• Centralized security event logging
• Real-time alerting for suspicious activity
• Regular security audits and reviews

4. Data Protection

4.1 Encryption

• In Transit - TLS 1.2+ for all data transmission
• At Rest - AES-256 encryption for stored data
• Key Management - AWS KMS for encryption key management

4.2 Data Minimization

Axiomly collects only what is necessary:

• No Source Code Storage - Your code never leaves your environment
• No AI Prompt Storage - We never see your AI conversations
• Metadata Only - We store approval decisions, not content

4.3 Data Retention

• Configurable retention policies per tenant
• Automatic data deletion upon account termination
• Compliance-driven audit log retention

5. Audit & Compliance

5.1 Comprehensive Audit Logging

• Per-user activity tracking
• Per-tenant governance decisions
• Immutable approval history
• API access logs

5.2 Exportable Records

All audit logs can be exported for:

• Compliance reporting
• Security investigations
• Internal audits

5.3 Compliance Frameworks

Axiomly's design supports compliance with:

• SOC 2 Type II
• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• ISO 27001

6. Application Security

6.1 Secure Development

• Security code reviews
• Automated vulnerability scanning
• Dependency security monitoring
• Regular penetration testing

6.2 Input Validation

• Strict input sanitization
• Protection against injection attacks
• CSRF protection
• XSS prevention

7. Incident Response

In the event of a security incident:

• Immediate containment and investigation
• Notification to affected customers within 72 hours
• Root cause analysis and remediation
• Post-incident review and improvements

8. Responsible Disclosure

We welcome responsible security research:

• Report Vulnerabilities - Contact us at our security contact
• Coordinated Disclosure - We work with researchers to address issues before public disclosure
• Recognition - We acknowledge security researchers who help improve Axiomly

9. Questions?

For security-related questions or concerns, please contact us.