Trust Center

Built for the people who have to answer the examiner.

AXIOM is in founding pilot phase. This page is an honest accounting of what is live today, how the platform is built, and how the architecture maps to SR 11-7 model risk management expectations. Where something is in progress rather than shipped, we say so.

Security and data handling

• Server-side authentication, fail-closed by default. Express-session managed, secure cookies in production.
• Row-level multi-tenancy isolation enforced at the middleware layer. Cross-tenant queries fail closed.
• API key protection for the internal decision engine microservice. No anonymous access.
• Sanitized error messages in production. No stack traces, paths, or database identifiers leaked.
• Append-only decision records. Immutable once recorded. Changes create new versions with diffs.
• Complete audit trail for every action, attributed to a named human.
• Encrypted data at rest (PostgreSQL provider-level) and in transit (TLS).
• SOC 2 readiness program in progress. We do not claim certification at this time.

Platform architecture

• Append-only decision store on PostgreSQL with versioned, immutable records.
• Standalone TypeScript decision intelligence microservice (axiom-council), authenticated by shared secret. VPC deployment available under enterprise terms.
• Deterministic scoring layer. All Decision Debt scores and drift signals are reproducible. No Math.random in scoring.
• AI as advisory only. Every recorded decision requires a human signature. AI never acts as the approver.
• Single accountable human owner per decision. Service accounts cannot approve.
• Audit reconstruction layer: any decision exportable end-to-end as a single examiner-ready artifact.

SR 11-7 alignment

SR 11-7 is the Federal Reserve and OCC supervisory letter on model risk management. AXIOM aligns to its core expectations: sufficient model documentation, designated accountable owners, identified and monitored assumptions, effective challenge through versioned review, ongoing monitoring with revalidation triggers, and a model inventory that emerges from decision lineage rather than a separate spreadsheet. This is a design alignment statement, not a regulatory endorsement.

Responsible disclosure

Suspected vulnerabilities can be reported to security@axiomdecisionlayer.com. We respond within two business days.

Apply for Founding Pilot →

See how AXIOM works