Trust Centre
Your security and privacy are foundational to everything we build. Learn about our commitment to protecting your data and maintaining the highest standards of compliance.
SOC 2
Type II · In progressISO 27001
In progressISO 42001
In progressSecurity & Compliance
We maintain rigorous security standards and are actively working toward the industry's leading certifications. We align our controls to their requirements as we prepare for formal audits.
SOC 2 Type II In progress
We are preparing for a SOC 2 Type II audit - implementing and documenting controls across security, availability, processing integrity, confidentiality and privacy ahead of a formal assessment.
- Formal Type II audit planned with an accredited auditor
- Controls being implemented, tested and evidenced
- Reports will be available to customers under NDA once certified
ISO 27001 In progress
We are implementing an Information Security Management System aligned to the internationally recognised ISO 27001 standard and working toward certification.
- Systematic approach to managing sensitive information
- Certification audit planned; surveillance audits to follow
- Continuous improvement of security practices
ISO 42001 In progress
We are establishing an AI Management System aligned to ISO 42001 - the international standard for responsible AI governance - and working toward certification.
- Governance for AI risk, oversight and accountability
- Aligns our own practices with the controls we provide customers
- Pursued alongside our ISO 27001 programme
GDPR Compliance
Full compliance with the EU General Data Protection Regulation, ensuring the highest standards of data privacy and protection.
- Data Processing Agreements available
- Right to access, rectify, and delete data
- Data portability and breach notification
Industry Standards
We support compliance with HIPAA, CCPA, and other regulatory frameworks specific to your industry requirements.
- HIPAA-compliant configurations available
- CCPA privacy rights support
- Industry-specific compliance guidance
Infrastructure Security
Enterprise-grade infrastructure with multiple layers of security to protect your data.
Infrastructure
Cloud infrastructure hosted on AWS with geographic redundancy and 99.9% uptime SLA.
Encryption
AES-256 encryption at rest and TLS 1.3 in transit. All data encrypted with unique keys.
Access Control
Role-based access control, multi-factor authentication, and principle of least privilege.
Network Security
Web application firewall, DDoS protection, and intrusion detection systems.
Data Backup
Automated daily backups with point-in-time recovery and cross-region replication.
Monitoring
24/7 security monitoring with automated alerting and incident response procedures.
Data Privacy
Your data is yours. We maintain strict data handling policies and provide full transparency.
Data Ownership
You retain full ownership of your data. We act solely as a data processor and never use your data for any purpose other than providing our services.
- Complete data ownership and control
- Data export available at any time
- Secure data deletion upon request
Data Residency
Choose where your data is stored with regional data centers. All data remains within your selected geographic region.
- Multiple geographic regions available
- Data sovereignty compliance
- On-premises deployment options
Data Processing
We process data only as necessary to provide our services and in accordance with your instructions and applicable regulations.
- Minimal data collection principles
- Purpose limitation and transparency
- No third-party data sharing
Sub-Processors
We maintain a limited list of vetted sub-processors and notify customers of any changes with advance notice.
- Amazon Web Services (AWS)Cloud infrastructure provider
- SupabaseDatabase and authentication services
- CloudflareCDN and DDoS protection
- SentryError monitoring and performance tracking
- SendGridEmail delivery services
- Comprehensive sub-processor vetting and security reviews
- 30-day advance notice for any changes to sub-processors
- All sub-processors bound by data processing agreements
Security Practices
Continuous security improvements through testing, training, and industry best practices.
Vulnerability Management
Regular security assessments, penetration testing, and vulnerability scanning. All critical vulnerabilities addressed within 24 hours.
Incident Response
24/7 security operations center with documented incident response procedures. Customer notification within 72 hours of any data breach.
Employee Security
Comprehensive background checks, security training, and NDA requirements. Regular security awareness training for all employees.
Security Development
Secure software development lifecycle with code reviews, static analysis, and security testing integrated into our development process.
Website Security & Threat Surface
Axonyx operates a public demonstration website to showcase product capabilities. The demo environment presents a minimal attack surface with no administrative functionality, authentication interfaces, or customer data exposure.
Security Validation
The demonstration website undergoes continuous automated security scanning to identify potential vulnerabilities. Recent assessment cycles confirm no critical, high, or medium-severity findings. The site demonstrates secure baseline configuration with properly implemented transport security and no evidence of common web application vulnerabilities.
No Exploitable Vulnerabilities Identified
- No SQL injection or command execution paths
- No cross-site scripting or CSRF vulnerabilities
- No file inclusion or path traversal risks
- No credential leakage or authentication bypass
- No exposed API endpoints or administrative interfaces
Secure Transport Configuration
- TLS 1.2+ enforced with trusted certificates
- No mixed content or insecure resource loading
- No directory listing or information disclosure
- No sensitive data exposure in responses
- Secure cookie attributes and session handling
Configuration Hardening
Automated scanning identified several low-risk configuration opportunities related to optional HTTP security headers. These findings represent defense-in-depth enhancements rather than exploitable vulnerabilities and are common in static demonstration environments.
Risk Classification
Configuration hardening recommendations are assessed as low-risk, informational findings. None represent direct security exposure or exploitable attack vectors. The demonstration site's static nature and lack of dynamic functionality significantly reduces the relevance of certain browser security controls.
Remediation Approach
Low-risk findings are tracked, prioritized, and addressed based on their practical security impact in the demonstration environment. Configuration enhancements are evaluated against operational requirements and implemented where they provide meaningful security value without impacting legitimate functionality.
Threats Addressed
Endpoint Enumeration & Discovery
The demonstration site exposes only static content and a contact form. No API endpoints, administrative interfaces, or hidden functionality exists to discover. Service fingerprinting yields minimal actionable information for potential attackers.
Injection-Based Attacks
Automated testing confirms no SQL injection, command injection, or code execution vulnerabilities. The static site architecture eliminates server-side processing of user input beyond the contact form, which employs secure third-party email services.
Client-Side Abuse & Data Leakage
No sensitive data, API keys, or credentials are embedded in client-side code or network responses. The site does not handle customer data, authentication sessions, or personally identifiable information beyond voluntary contact form submissions.
Insecure Transport & Downgrade Attacks
TLS 1.2 and 1.3 are enforced with trusted certificate chains. No support for legacy protocols or weak cipher suites. All resources load over secure connections, preventing man-in-the-middle attacks and content tampering.
Accidental Exposure of Internal Systems
The demonstration website is architecturally isolated from production infrastructure. No backend systems, databases, or internal services are accessible through the public demo environment. Clear network segmentation ensures internal systems remain protected even in the event of website compromise.
Architectural Isolation & Continuous Validation
The demonstration website operates in complete isolation from production systems, customer data, and operational infrastructure. This architectural separation ensures that any potential compromise of the demo environment cannot impact customer security or service availability.
Network Isolation
- Separate network segments and security groups
- No connectivity to production environments
- Dedicated hosting infrastructure
Data Separation
- No customer data in demo environment
- No access to production databases
- Minimal data collection and retention
Continuous Monitoring
- Automated vulnerability scanning
- Regular security assessments
- Proactive remediation workflows
Responsible Disclosure
Security researchers who identify potential vulnerabilities in our demonstration website or other public-facing infrastructure are encouraged to report findings through our coordinated disclosure process. We are committed to acknowledging reports promptly, investigating thoroughly, and crediting researchers appropriately.
Threat Model & Security Posture
Axonyx operates a proxy-first architecture designed for defence-in-depth. Our publicly exposed inference proxy at proxy.axonyx.ai presents an intentionally minimal attack surface.
Proxy-First Security Model
The Axonyx proxy serves as a security gateway between your organization and AI model providers. All requests flow through policy enforcement, inspection, and logging layers before reaching external models. This architecture enables real-time intervention and complete audit visibility.
Defence-in-Depth Layers
- Request authentication and authorization
- Input validation and sanitization
- Policy enforcement and guardrails
- Response inspection and filtering
- Comprehensive audit logging
Minimal Attack Surface
- No administrative endpoints exposed publicly
- No API specification disclosure
- Limited service fingerprinting
- Strict transport security enforcement
- Rate limiting and abuse prevention
Key Threats Addressed
Unauthorised API Access
All requests require valid authentication tokens. Multi-factor authentication enforced for administrative access. Session management with automatic expiration and revocation.
Prompt Injection & Malicious Inputs
Advanced pattern detection identifies jailbreak attempts, system prompt manipulation, and instruction injection. Requests are blocked or escalated based on risk scoring.
Model Misuse & Policy Circumvention
Policy enforcement occurs at the proxy layer before requests reach models. Organizations define acceptable use policies, content restrictions, and data handling requirements.
Data Exfiltration via AI Responses
Response inspection detects sensitive data patterns including credentials, PII, and proprietary information. Responses containing restricted data are blocked or redacted.
Endpoint Discovery & Enumeration
Public endpoints expose only essential inference functionality. No API documentation, debug interfaces, or administrative paths are accessible without authentication.
Abuse of Inference Endpoints
Rate limiting prevents resource exhaustion and denial of service. Anomaly detection identifies unusual usage patterns. Automated throttling and blocking for abuse scenarios.
Security Assurance
The Axonyx proxy infrastructure undergoes continuous security validation through multiple independent assessment methodologies. Our security posture is evaluated regularly to identify and address potential vulnerabilities before they can be exploited.
Automated Security Scanning
- Continuous API vulnerability assessment
- SQL injection and GraphQL security testing
- Transport layer security validation
- Authentication and authorization testing
Manual Penetration Testing
- Annual third-party penetration testing
- Adversarial testing by security researchers
- Application logic and business process review
- Remediation verification and retesting
Recent automated scanning identified no critical, high, or medium risk findings across the public proxy infrastructure. A single low-risk informational finding related to service fingerprinting has been documented and assessed as non-exploitable given the proxy's intentional public exposure model. Security findings are tracked, prioritized, and remediated according to risk severity and potential impact.
Audit & Reports
Security documentation to support your vendor assessments, with certification reports available as our programmes complete.
SOC 2 Report
Type II report will be available to customers under NDA once certification is complete.
Penetration Tests
Annual third-party penetration test summaries.
Security Questionnaires
Standard security questionnaire responses.
Request access to our compliance documentation through your customer success manager or contact our security team directly at security@axonyx.ai.
Responsible Disclosure
We welcome security researchers to help us maintain the security of our platform.
Security Bug Bounty Program
If you discover a security vulnerability, please report it to us responsibly. We are committed to working with security researchers to verify and address any potential vulnerabilities.
How to Report
- Email security@axonyx.ai with details of the vulnerability
- Provide sufficient information to reproduce the issue
- Allow us reasonable time to address the issue before public disclosure
Our Commitment
- Acknowledge receipt within 24 hours
- Provide regular updates on our progress
- Credit researchers who report valid vulnerabilities
Have questions
about security?
Our security team is here to answer any questions about our security practices, certification roadmap, or data protection measures.
Contact Security Team