Security at every layer.
From encryption and access control to audit logging and incident response, AXIOM is engineered so your data stays yours.
Data Handling
Every request flows through a deterministic pipeline. Here is exactly what happens to your data at each stage.
User Action
Request enters AXIOM through authenticated session
Policy Engine
Rules evaluated: permissions, classification, spend limits
Skill Execution
Approved action routed to integration with scoped credentials
LLM Processing
Prompt sent to configured provider with data-minimization filters
Audit Log
Full request/response logged immutably with actor identity
Encryption
Data is encrypted at rest and in transit with no exceptions.
AES-256 at Rest
All data stored by AXIOM is encrypted using AES-256, the same standard used by governments for classified information. Encryption keys are rotated automatically.
TLS 1.3 in Transit
Every connection between clients, AXIOM services, and third-party integrations is protected by TLS 1.3 with perfect forward secrecy. Older protocols are rejected.
Customer-Managed Keys
Enterprise customers on Hybrid and Air-Gapped plans can bring their own encryption keys. AXIOM never has access to your key material.
Access Control
Multi-layered access controls ensure users see only what they are authorized to see and do only what they are permitted to do.
Row-Level Security (RLS)
Every database query is scoped to the authenticated tenant. Users within the same organization see only the data their role permits. Cross-tenant data access is architecturally impossible.
Tenant Isolation
Each organization operates in a logically isolated environment with dedicated database schemas, encryption keys, and credential vaults. Shared-nothing architecture at the data layer.
Role-Based Access Control
Admins, managers, and members each have distinct permission sets. Custom roles can be defined to match your organization's structure. All role changes are audited.
SSO & SCIM
SAML 2.0 and OIDC single sign-on. SCIM provisioning for automatic user lifecycle management synced with your identity provider. Enforce MFA at the IdP layer.
LLM Data Privacy
Your prompts and data are never used for model training. Here is our commitment.
- AXIOM never uses your data to train or fine-tune models.
- Prompts are constructed with data-minimization filters that strip unnecessary PII before sending to LLM providers.
- Air-Gapped deployments use local Ollama inference with zero external API calls.
- LLM provider agreements prohibit data retention beyond the request lifecycle.
- Prompt and response content is logged only within your tenant boundary and never shared across organizations.
- You choose your LLM provider: OpenRouter, Anthropic, Groq, Together, or Ollama.
Compliance Frameworks
AXIOM maintains compliance with the frameworks your auditors require.
SOC-2 Type II
Annual audit covering security, availability, and confidentiality trust service criteria. Report available under NDA.
GDPR
Full compliance with EU General Data Protection Regulation. Data Processing Agreements available for all customers.
CCPA
California Consumer Privacy Act compliance for handling personal information of California residents.
HIPAA
Business Associate Agreements available for healthcare organizations. PHI safeguards enforced at every layer.
Audit Logging
Complete, immutable, and exportable. Every action leaves a trail.
- Every user action recorded with timestamp, actor, IP, and session context
- Policy engine decisions logged with full rule-evaluation trace
- Integration API calls captured with request/response metadata
- Immutable write-once storage prevents tampering or deletion
- Real-time streaming to your SIEM via webhook or Syslog
- 90-day default retention; configurable up to 7 years for compliance
Incident Response
Defined processes. Clear timelines. No surprises.
Detection
Automated monitoring and anomaly detection across all services. On-call engineering team alerted immediately.
Triage
Severity classification, blast radius assessment, and initial containment. Affected customers notified within 1 hour for critical incidents.
Remediation
Root cause identified, patch deployed, and all affected systems verified. Post-incident review initiated within 24 hours.
Communication
Status page updated in real-time. Detailed post-mortem published within 5 business days with corrective actions.
Penetration Testing
AXIOM undergoes annual third-party penetration testing conducted by an independent, CREST-accredited security firm. The scope covers external infrastructure, application-layer vulnerabilities, API security, and authentication flows. Critical and high-severity findings are remediated within 48 hours. A summary letter is available under NDA upon request.
Subprocessors
Transparency about the third-party services AXIOM relies on to deliver its platform.
Air-Gapped deployments eliminate all external subprocessors. Contact us for the full subprocessor list and change notification policy.
Security Resources
Download the documents your security team needs for vendor review.
Security Whitepaper
Comprehensive overview of AXIOM's security architecture, controls, and compliance posture.
Data Processing Agreement
Standard DPA template covering GDPR and international data transfer requirements.
SOC-2 Type II Report
Full audit report available under mutual NDA. Contact sales to request access.
Have a question for our security team?
Contact Security Team