Trust Center

Security & data protection

Axiome safeguards some of the most sensitive information a shipping business holds — voyage records, charter parties, EUA positions, and the money that moves against them. Security is built into every layer of the platform.

Aligned with
SOC 2TYPE IIISO27001GDPREUEURESIDENCY

Last reviewed July 2026

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Secrets live in a managed key store and rotate on a schedule — never in source, never in a client bundle.

EU data residency

Compute and storage run in isolated EU regions where you require it, separated per environment and per customer.

Zero standing access

Role-based controls scope every user to their organisation. Staff hold no standing access to customer data — every grant is time-bound and logged.

Privacy by design

We never sell your data or train models on it. Your records serve one purpose: the service you pay for.

Secure development

Every change is peer-reviewed and clears automated dependency and secret scanning before it ships. Infrastructure is versioned as code.

Resilience & recovery

Encrypted, geo-redundant backups with tested restores, continuous availability monitoring, and graceful degradation by design.

Compliance & certifications

Our controls are built and mapped to the leading security and privacy frameworks.

FrameworkStatus
SOC 2 Type IIAligned
ISO/IEC 27001Aligned
GDPRAligned
Cloud infrastructureSOC 2 (inherited)

Data protection

Every byte of customer data is encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are held in a managed key-management service and rotated regularly.

For EU customers, voyage and financial data is processed and stored entirely within EU regions. Data is retained for the life of your contract and permanently deleted within 30 days of request or termination.

Infrastructure & platform security

Axiome runs on Vercel, whose platform holds SOC 2 Type II and ISO 27001 certification. Production, staging, and development environments are fully isolated, and all infrastructure is defined as code and changed only through a reviewed pipeline.

Secrets are held in a managed secret store and never touch the codebase or the client. Access to production is restricted to a minimal set of engineers, MFA-protected, and logged.

Application security

Every change is peer-reviewed before it reaches production. Our CI pipeline runs dependency vulnerability scanning and secret detection on every commit, and strict typing enforces a hard boundary between AI-extracted values and the deterministic code that performs all money math, time-bar, and status logic — a model can read a document, but it never decides what a claim is worth.

We run penetration testing and remediate findings on a severity-based timeline. A summary is available to customers under NDA.

Access & authentication

Role-based access controls scope every user to data within their own organisation. We support SSO / SAML and enforce multi-factor authentication for privileged access, with every administrative action captured in an audit log.

Axiome staff operate on zero standing access to customer data. Access is granted only for a specific, authorised reason, is time-bound, and expires automatically.

AI & your data

Axiome reads documents — notices of readiness, statements of fact, invoices — with large-language-model extraction, pulling structured values with full provenance. A model never decides money; deterministic code does.

Your data is never used to train models, ours or a provider's. Our extraction sub-processor operates under contractual zero-data-retention terms: nothing is stored or used for training on their side.

Sub-processors

We rely on a short, carefully chosen set of sub-processors and notify customers of material changes in advance.

Sub-processorPurpose
VercelApplication hosting & compute
OpenAIDocument extraction (zero data retention)
CalendlyDemo scheduling

Business continuity & availability

Customer data is backed up continuously on an encrypted, geo-redundant basis, and we test restores regularly. Our recovery objectives are measured in hours.

We monitor availability around the clock and design the platform to degrade gracefully, so a single dependency can never put your data at risk.

Responsible disclosure

If you discover a vulnerability, please report it to work@withaxiome.com before any public disclosure. We acknowledge every report within 48 hours and work with you to resolve it promptly.

We operate a good-faith safe harbour: we will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate.

Documentation room

Running a vendor review? The following are available to customers and prospects under NDA — email work@withaxiome.com and we'll turn it around quickly.

  • Data Processing Agreement (DPA)
  • Sub-processor list
  • Penetration test summary
  • Security questionnaire (SIG / CAIQ) support

Talk to our security team

Enterprise DPAs, sub-processor lists, or security questionnaires — we're responsive.

work@withaxiome.com