Vendor-Risk Fact Sheet
AXIOM Security Posture
One page your vendor-risk team can attach to a review ticket. Every line is honest about what is in place today and where a control is not yet in place, the status reads "Not yet" with the real next step — never "compliant" or "certified" without proof.
Identity and access
- Server-side authentication, fail-closed by default. Session cookies marked Secure and HttpOnly in production.
- Role-based access within tenant. Service accounts cannot approve decisions.
- SSO (SAML / OIDC) and native MFA are on the GA roadmap; available under enterprise pilot terms today.
Data handling and tenancy
- Row-level multi-tenant isolation enforced at the middleware layer. Cross-tenant queries fail closed.
- TLS 1.2+ in transit. PostgreSQL provider-managed encryption at rest.
- Append-only decision records. Recorded decisions are immutable; changes create new versions.
- Personal data minimisation: AXIOM stores decision rationale, owner identity, and evidence references — not customer PII, model training data, or production model outputs.
Audit and reconstruction
- Full audit trail per decision with actor, event type, and a frozen JSON snapshot. Reconstructable end-to-end.
- Frozen Company Brain context snapshot at approval. Never recomputed from live data.
- One-click reconstruction packet endpoint returns the full evidentiary bundle as a single JSON document.
- Deterministic scoring. The same inputs always produce the same score.
AI governance
- AI is advisory only. Every recorded decision requires a human signature.
- Model name, prompt version, raw response, and confidence are captured in the audit trail.
- No tenant data is used to train any model.
- No silent fallbacks. If an extraction fails, the failure is surfaced explicitly and the raw input is preserved.
Compliance posture
SOC 2 readiness program is active; we do not claim SOC 2 today and will publish the report when issued. ISO 27001, HIPAA, FedRAMP, and PCI are not held. The platform is aligned to the SR 11-7 / OCC 2011-12 evidentiary bar for model risk decisions, which is a design alignment statement, not a regulatory endorsement.
Vendor-risk questionnaires
We respond to CAIQ-Lite, SIG-Lite, and custom questionnaires within five business days during the founding pilot phase. Email security@axiomdecisionlayer.com with your institution name, the questionnaire format, and the timeline you need it back.