Security Principles

1. Our Security Commitment

Security is foundational to how we build and operate Axiosky's governance infrastructure — Governor, Policy Engine, and Orchestrator. We're building a platform that enterprise and government organisations will trust to enforce policy over autonomous systems. That trust begins with how we secure our own platform.

We are transparent about our current practices and honest about where we are in our security maturity. We will update this document as our practices evolve.

2. Core Security Principles

We design and operate the platform according to the following principles:

• Security by Design — Security considerations are incorporated at the architecture and design stage, not retrofitted. Governance enforcement, audit logging, and access separation are structural, not optional.
• Least Privilege — Access to systems, data, and infrastructure is granted only to personnel and processes that require it to perform their function, and no broader.
• Defence in Depth — We apply multiple independent layers of protection across infrastructure, application, data, and access — so that no single failure exposes customer data.
• Transparency — We are open about what we do and do not do. We do not make security claims we cannot substantiate.
• Continuous Improvement — We review and update security practices as the platform matures, as threats evolve, and as customer deployments grow in sensitivity.

3. Data Protection

• Encryption in Transit — All data transmitted between your systems and ours is encrypted using TLS. We do not support unencrypted connections to the Services.
• Encryption at Rest — Customer data stored within our infrastructure is encrypted at rest using industry-standard algorithms provided by our hosting environment.
• Logical Isolation — Customer data is logically separated between customers. No customer can access another customer's data or configurations.
• Data Residency — Customer data is primarily stored in India. Where data is processed by third-party infrastructure providers, this is described in our Data Processing Agreement.
• No AI Training on Your Data — We do not use customer data, configurations, policy definitions, or audit logs to train or fine-tune any AI or machine learning model.

4. Access Controls

• Internal Access — Access to production systems and customer data is restricted to personnel who require it for their specific function. Access is reviewed when roles change.
• Credential Management — We do not use shared credentials for production access. Credentials are managed and rotated in accordance with security best practices.
• Authentication — Where account access is made available to customers, we support and encourage the use of strong authentication mechanisms.
• Separation of Environments — Development, staging, and production environments are separated. Customer data is not used in development or testing.

5. Secure Development

• Code Review — All code changes are reviewed before deployment. We do not push unreviewed code to production systems.
• Dependency Management — We monitor third-party dependencies for known vulnerabilities and apply updates as part of our development process.
• Secure Coding Practices — We follow established secure coding guidelines to prevent common vulnerability classes in the platform.
• Infrastructure Security — We follow security best practices for our hosting and infrastructure configuration, including restricting unnecessary network exposure and applying available security hardening.

6. Incident Response

We maintain a documented incident response process that covers detection, containment, investigation, and recovery. In the event of a confirmed security incident affecting customer data:

• We will notify affected customers within 72 hours of confirming the incident, as described in the Data Processing Agreement
• We will provide a description of the incident, the data affected, and the steps taken to contain and remediate it
• We will support customers in meeting any applicable regulatory notification obligations

Security incidents can be reported at any time to security@axiosky.com.

7. Compliance Framework

Our platform is designed to support compliance with the following Indian legal and regulatory requirements:

• Digital Personal Data Protection Act, 2023 (DPDP Act) — Our data handling practices are designed to meet the obligations of a Data Processor under the DPDP Act.
• Information Technology Act, 2000 — Our operations comply with the IT Act and applicable Rules, including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

We do not currently hold third-party security certifications. We will update this document when certifications are obtained.

8. Deployment Architecture

Our governance infrastructure is designed to support flexible deployment configurations to meet customers' regulatory and operational requirements. Details of available deployment models are discussed during the pilot engagement process.

For organisations with specific data residency, network isolation, or sovereign deployment requirements, contact us at hello@axiosky.com to discuss your needs.

9. Responsible Disclosure

If you discover a security vulnerability in our platform or infrastructure:

• Report it to security@axiosky.com promptly and in good faith
• Do not exploit the vulnerability, access data you are not authorised to access, or disclose it publicly before we have had a reasonable opportunity to respond
• We will acknowledge your report and work to address confirmed vulnerabilities
• We will not take legal action against individuals who report vulnerabilities in good faith in accordance with this process

Unauthorised security testing or scanning of our infrastructure is prohibited without prior written authorisation. See also the Acceptable Use Policy §6.

10. Shared Responsibility

Axiosky secures the platform and infrastructure. Customers are responsible for the security of their own systems, integrations, and the data they bring to the platform. We encourage customers to:

• Use strong, unique credentials for any account or integration access
• Apply access controls on their own side consistent with least-privilege principles
• Review and scope their policy configurations carefully before production deployment
• Report any suspected misuse or security concern immediately to security@axiosky.com

11. Contact

Security issues and vulnerability reports:
Email: security@axiosky.com

General security enquiries:
Email: hello@axiosky.com