Vendor-Risk Fact Sheet
AXIOM Security Posture
One page your vendor-risk team can attach to a review ticket. Every line is honest about what is in place today. Where a control is not yet in place, the status reads "Not yet" with the real next step — never "compliant" or "certified" without proof.
Quick facts
- Legal entity: AXIOM Decision Layer (founder-led pilot phase)
- Product category: Decision intelligence / system of record for model-risk decisions
- Hosting region: United States
- Tenancy model: Multi-tenant with row-level organization isolation (single-tenant available under enterprise terms)
- Default data retention: Decision records and audit trail retained for the life of the tenant; export-on-termination supported
- Customer data used to train models: No
- PII ingested by default: No — AXIOM stores decision rationale, owner identity, and evidence references only
- Security contact: security@axiomdecisionlayer.com
01. Identity & Access
- Server-side authentication [In place] — Express-session, server-issued. Session cookies marked Secure + HttpOnly in production. No client-side trust decisions.
- Role-based access within tenant [In place] — Founder / approver / member roles enforced server-side. Service accounts cannot approve decisions.
- Single Sign-On (SAML / OIDC) [Not yet] — Available under enterprise pilot terms on request. Standard SSO setup is on the GA roadmap, not delivered yet.
- MFA enforcement [Not yet] — Customer-enforced via SSO when SSO is deployed. Native MFA on the GA roadmap.
02. Data Handling & Tenancy
- Row-level multi-tenant isolation [In place] — Every tenant-scoped table is gated by an organizationId filter at the middleware layer. Cross-tenant queries fail closed.
- Encryption in transit [In place] — TLS 1.2+ for all client and service-to-service traffic. HSTS on all production responses.
- Encryption at rest [In place] — PostgreSQL with provider-managed encryption at rest.
- Customer-managed encryption keys [Not yet] — Available under enterprise / VPC deployment. Not part of the default hosted offering today.
- Append-only decision records [In place] — Recorded decisions are immutable. Changes create a new version. Nothing is overwritten. Audit trail is structurally append-only.
- Personal data minimisation [In place] — AXIOM stores decision rationale, owner identity, and evidence references. We do not ingest customer PII, model training data, or production model outputs.
03. Audit & Reconstruction
- Full audit trail per decision [In place] — Every state change writes a decision_audit row with actor, event type, and a frozen JSON snapshot. Reconstructable end-to-end.
- Frozen context snapshot at approval [In place] — On approval, the current Company Brain context is frozen against the decision and never recomputed from live data.
- One-click reconstruction packet [In place] — GET /api/decisions/:id/audit-packet returns the full evidentiary bundle as a single JSON document: versions, assumptions, evidence, frozen snapshot, audit trail, and a deterministic reconstruction status.
- Deterministic scoring [In place] — Decision Debt scores, drift signals, and contradiction severities are computed deterministically. The same inputs always produce the same score.
04. AI Governance
- AI is advisory only [In place] — AI outputs are surfaced as drafts. A named human signature is required before anything is recorded as a canonical decision. AI never acts as the approver.
- Prompt / response captured in audit [In place] — Model name, prompt version, raw response, and confidence are retained with every AI-assisted record so the AI's contribution is reproducible.
- No training on customer data [In place] — Customer decision content is not used to train or fine-tune any model.
- No silent fallbacks [In place] — If an AI extraction fails, the failure is surfaced explicitly and the raw input is preserved.
05. Hosting & Infrastructure
- Production hosting [In place] — Hosted on Replit Deployments (US region). PostgreSQL via managed Neon US-East. Traffic served via HTTPS only, HSTS enforced.
- VPC / private deployment option [In progress] — Single-tenant deployment in customer VPC is available under enterprise pilot terms.
- Data residency outside US [Not yet] — All data resides in the US today. EU / UK residency available on request under enterprise terms.
- Backup & disaster recovery [In place] — Daily managed Postgres backups with point-in-time recovery via provider. RPO ≤ 24h, RTO ≤ 4h on the hosted tier.
06. Engineering & Change Management
- Version control + code review [In place] — All changes pass through git, are diffable, and are reviewed before merge.
- Sanitized error surfaces [In place] — Production responses never leak stack traces, internal paths, or database identifiers.
- Dependency vulnerability scanning [In progress] — Manual dependency review today. Automated SCA on a recurring schedule is on the GA roadmap.
- Penetration test [Not yet] — Third-party pentest scheduled ahead of GA.
07. Compliance Posture
- SOC 2 Type 1 [In progress] — Readiness program is active. Audit window planned ahead of GA. We do not claim SOC 2 today and will publish the report when issued.
- SOC 2 Type 2 [Not yet] — Follows Type 1, on the post-GA roadmap.
- ISO 27001 / HIPAA / FedRAMP / PCI [Not yet] — Not held. Not in scope for the founding pilot phase.
- Aligned with SR 11-7 expectations [In place] — AXIOM is built to the SR 11-7 / OCC 2011-12 evidentiary bar for model risk decisions. This is a design alignment statement, not a regulatory endorsement.
08. Subprocessors
- Replit Deployments — Application hosting (US).
- Neon — Managed PostgreSQL (US-East).
- OpenAI — AI extraction and advisory outputs only. No tenant data is used to train any model.
- Stripe — Subscription billing. Payment details handled entirely by Stripe; AXIOM never sees card data.
- Resend — Transactional email (account, alerts). Operational metadata only — no decision content is emailed.
09. Incident Response & Disclosure
- Incident response policy [In progress] — Documented founder-led IR process: detection, containment, customer notification within 72 hours of confirmed material incident, root-cause writeup.
- Coordinated vulnerability disclosure [In place] — Email security@axiomdecisionlayer.com. We will respond within 2 business days.
- Status page [Not yet] — Public status page on the post-GA roadmap.
Vendor-risk questionnaires
We respond to CAIQ-Lite, SIG-Lite, and custom questionnaires within five business days during the founding pilot phase. Email security@axiomdecisionlayer.com with your institution name, the questionnaire format, and the timeline you need it back.