Trust Center
Security & data protection
Axiome safeguards some of the most sensitive information a shipping business holds — voyage records, charter parties, EUA positions, and the money that moves against them. Security is built into every layer of the platform.
Last reviewed July 2026
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest. Secrets live in a managed key store and rotate on a schedule — never in source, never in a client bundle.
EU data residency
Compute and storage run in isolated EU regions where you require it, separated per environment and per customer.
Zero standing access
Role-based controls scope every user to their organisation. Staff hold no standing access to customer data — every grant is time-bound and logged.
Privacy by design
We never sell your data or train models on it. Your records serve one purpose: the service you pay for.
Secure development
Every change is peer-reviewed and clears automated dependency and secret scanning before it ships. Infrastructure is versioned as code.
Resilience & recovery
Encrypted, geo-redundant backups with tested restores, continuous availability monitoring, and graceful degradation by design.
Compliance & certifications
Our controls are built and mapped to the leading security and privacy frameworks.
| Framework | Status | Detail |
|---|---|---|
| SOC 2 Type II | Aligned | Controls operated and mapped to the SOC 2 Trust Services Criteria. |
| ISO/IEC 27001 | Aligned | Security controls mapped to ISO/IEC 27001 Annex A. |
| GDPR | Aligned | Processor for voyage & charter-party data; controller for account data. SCCs govern EEA transfers. |
| Cloud infrastructure | SOC 2 (inherited) | Our underlying cloud platform holds SOC 2 Type II and ISO 27001 certification. |
Data protection
Every byte of customer data is encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are held in a managed key-management service and rotated regularly.
For EU customers, voyage and financial data is processed and stored entirely within EU regions. Data is retained for the life of your contract and permanently deleted within 30 days of request or termination.
Infrastructure & platform security
Axiome runs on Vercel, whose platform holds SOC 2 Type II and ISO 27001 certification. Production, staging, and development environments are fully isolated, and all infrastructure is defined as code and changed only through a reviewed pipeline.
Secrets are held in a managed secret store and never touch the codebase or the client. Access to production is restricted to a minimal set of engineers, MFA-protected, and logged.
Application security
Every change is peer-reviewed before it reaches production. Our CI pipeline runs dependency vulnerability scanning and secret detection on every commit, and strict typing enforces a hard boundary between AI-extracted values and the deterministic code that performs all money math, time-bar, and status logic — a model can read a document, but it never decides what a claim is worth.
We run penetration testing and remediate findings on a severity-based timeline. A summary is available to customers under NDA.
Access & authentication
Role-based access controls scope every user to data within their own organisation. We support SSO / SAML and enforce multi-factor authentication for privileged access, with every administrative action captured in an audit log.
Axiome staff operate on zero standing access to customer data. Access is granted only for a specific, authorised reason, is time-bound, and expires automatically.
AI & your data
Axiome reads documents — notices of readiness, statements of fact, invoices — with large-language-model extraction, pulling structured values with full provenance. A model never decides money; deterministic code does.
Your data is never used to train models, ours or a provider's. Our extraction sub-processor operates under contractual zero-data-retention terms: nothing is stored or used for training on their side.
Sub-processors
We rely on a short, carefully chosen set of sub-processors and notify customers of material changes in advance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting & compute | EU / US |
| OpenAI | Document extraction (zero data retention) | EU / US |
| Calendly | Demo scheduling | US |
Business continuity & availability
Customer data is backed up continuously on an encrypted, geo-redundant basis, and we test restores regularly. Our recovery objectives are measured in hours.
We monitor availability around the clock and design the platform to degrade gracefully, so a single dependency can never put your data at risk.
Responsible disclosure
If you discover a vulnerability, please report it to work@withaxiome.com before any public disclosure. We acknowledge every report within 48 hours and work with you to resolve it promptly.
We operate a good-faith safe harbour: we will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate.
Documentation room
Running a vendor review? The following are available to customers and prospects under NDA — email work@withaxiome.com and we'll turn it around quickly.
- Data Processing Agreement (DPA)
- Sub-processor list
- Penetration test summary
- Security questionnaire (SIG / CAIQ) support
Talk to our security team
Enterprise DPAs, sub-processor lists, or security questionnaires — we're responsive.