Security

We use industry-standard encryption to protect your data both in transit and at rest.

• All data transmitted between your browser and axeo is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256 encryption on all database storage
• Database backups are encrypted and stored in geographically redundant locations
• API keys and sensitive credentials are encrypted with envelope encryption before storage

We implement strict access controls at every level of the platform.

• Role-based access control (RBAC) allows organization administrators to define granular permissions for team members
• Row-Level Security (RLS) policies in our database ensure users can only access data belonging to their organization
• Administrative access to production systems requires multi-factor authentication and is limited to essential personnel
• All access to production systems is logged and regularly reviewed
• Service-to-service communication uses short-lived tokens and follows the principle of least privilege

User authentication is handled through secure, industry-standard mechanisms.

• Passwords are hashed using bcrypt with appropriate cost factors — we never store plaintext passwords
• Session tokens are securely generated and transmitted only over encrypted connections
• Configurable session timeout policies help protect unattended sessions
• Support for email-based magic links as a passwordless authentication option
• Account lockout protection against brute-force attacks with rate limiting

Our infrastructure is designed for reliability, performance, and security.

• Hosted on enterprise-grade cloud infrastructure with SOC 2 compliance
• Application deployed with automatic scaling and geographic distribution
• Database services include automatic failover and point-in-time recovery
• Network-level protections including DDoS mitigation and Web Application Firewall (WAF)
• Regular infrastructure vulnerability scanning and patch management

Comprehensive monitoring helps us detect and respond to security events quickly.

• Real-time error and performance monitoring with automated alerting
• Detailed audit logs track all significant actions within the platform (asset changes, checkouts, user modifications)
• Audit logs are immutable and retained according to your organization's subscription plan
• Security event monitoring for suspicious patterns such as unusual login attempts or data access patterns
• Regular review of access logs and security events by our security team

We maintain a formal incident response plan to address security events promptly and effectively.

• Defined escalation procedures with clear roles and responsibilities
• Affected customers are notified within 72 hours of confirming a data breach as required by GDPR and other applicable regulations
• Post-incident reviews are conducted to identify root causes and implement preventive measures
• Regular incident response drills to ensure team readiness

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in axeo, please report it to our security team.

• Email security vulnerabilities to security@axeo.ink with a detailed description of the issue
• Include steps to reproduce the vulnerability if possible
• We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days
• We ask that you give us reasonable time to address the issue before public disclosure
• We will not take legal action against researchers who report vulnerabilities in good faith

While we implement robust security measures, you can help protect your organization by following these best practices:

• Use strong, unique passwords for your axeo account
• Review and manage team member access regularly, removing users who no longer need access
• Train team members on security awareness, including recognizing phishing attempts
• Report suspicious activity to your organization administrator and to our support team
• Keep your browser and devices updated with the latest security patches