Security that matches what you'd build yourself.
ax1om works exclusively with each customer's own first-party CRM data. No external enrichment, no third-party signals, no cross-customer data sharing. That product choice shapes every decision on this page.
Backed by enterprise-grade infrastructure
ax1om runs on providers that hold independent SOC 2 Type II, ISO 27001, ISO 27018, and PCI DSS Level 1 certifications. Our own SOC 2 Type II audit begins Q4 2026.
-
Google CloudSOC 2 Type II · ISO 27001 · ISO 27018 -
SupabaseSOC 2 Type II -
VercelSOC 2 Type II · ISO 27001 -
CloudflareSOC 2 Type II · ISO 27001 -
StripeSOC 2 Type II · PCI DSS L1 -
SentrySOC 2 Type II
- SOC 2 Type II Audit Q4 2026
- GDPR DPA with SCCs available
- CCPA Compliant as service provider
- US data residency GCP us-central1 only
How we think about compliance today.
ax1om operates under a shared responsibility model with its subservice organizations. Our own SOC 2 Type II audit period begins Q4 2026, with a report expected Q1 2027. In the meantime, customer data is stored and processed on infrastructure that holds independent SOC 2 Type II certifications today, and ax1om operates the application-layer controls (authentication, authorization, PII detection, encryption at the application layer, incident response) that sit above that infrastructure.
The tables below show exactly which controls are inherited from which providers and which are owned by ax1om. This is the honest version of a trust page. We do not claim certifications we do not hold yet.
What we do, in detail, without the marketing gloss.
- Hosted on Google Cloud Platform in us-central1.
- All services run on Google Cloud Run with automatic scaling and per-request isolation.
- No shared infrastructure between customer organizations.
- All customer data is stored and processed exclusively within the United States.
- Data encrypted in transit via TLS 1.2 or higher, enforced at both Cloudflare and Cloud Run.
- Data encrypted at rest via Google-managed AES-256 encryption.
- OAuth tokens for Salesforce and HubSpot are encrypted with Fernet symmetric encryption before database storage.
- Encryption keys stored in GCP Secret Manager, separate from application data.
- JWT-based sessions via Supabase Auth. Google OAuth and email/password supported. MFA available via Google.
- OAuth 2.0 for Salesforce and HubSpot. Only minimum required scopes are requested.
- API keys use HMAC-SHA256 hashing. Raw keys are shown once at creation and never stored in plaintext.
- Authentication endpoints are rate-limited to prevent brute-force and credential stuffing.
- Platform administration requires an explicit admin flag; standard users cannot access admin functions.
- Every organization's data is logically isolated at both the database and storage level.
- Every database query is scoped to the customer organization ID.
- No cross-customer data access is possible through the API.
- Model artifacts are stored in organization-scoped paths in Google Cloud Storage.
- Read-only access to connected CRMs by default. Writeback requires explicit per-field opt-in.
- CRM data is processed in memory during model training.
- PII (email, phone, name, address) is automatically detected and stripped from stored model artifacts.
- Email addresses are domain-extracted and hashed; raw email addresses are never persisted.
- Phone numbers and names are converted to boolean presence features (has_phone, has_name) and raw values are dropped.
- Only aggregated features and scores are persisted long-term.
- LightGBM gradient boosting: a well-understood, deterministic machine learning method.
- SHAP feature importances computed for every model and every record.
- Models are trained per organization using only that organization's data.
- No cross-customer model training, no federated learning, no shared models.
- ax1om scores are advisory; they do not autonomously take actions that affect individuals.
- Sentry SDK captures unhandled exceptions and performance traces in real time.
- Sentry Uptime probes the API health endpoint every 5 minutes from multiple regions.
- Application logs routed to GCP Cloud Logging with 30-day retention.
- Security and availability alerts routed to on-call via email and Slack-compatible channels.
- GitHub Dependabot monitors all application dependencies for known vulnerabilities.
- GCP Security Command Center provides continuous infrastructure monitoring.
- Critical security patches are applied within 24 hours of confirmed criticality.
- Annual external penetration test scoped to OWASP Top 10 and ASVS methodology (scheduled Q3 2026).
- Security incidents investigated within 24 hours of detection.
- Affected customers notified within 72 hours of a confirmed breach.
Controls inherited from subservice organizations.
Each provider holds independent SOC 2 Type II reports (or equivalent) available upon request. The SOC 2 criteria column maps to the Trust Services Criteria that the inherited control satisfies.
| Control area | Provider | Compliance | SOC 2 criteria |
|---|---|---|---|
| Physical data center security | Google Cloud | SOC 2 Type II · ISO 27001 · ISO 27017 · ISO 27018 | CC6.4, CC6.5 |
| Network infrastructure security | GCP + Cloudflare | SOC 2 Type II · ISO 27001 | CC6.6, CC6.7 |
| Encryption at rest (AES-256) | GCP, Supabase | SOC 2 Type II | CC6.1 |
| Encryption in transit (TLS 1.2+) | Cloudflare, Cloud Run | SOC 2 Type II · ISO 27001 | CC6.7 |
| Database backups and PITR | Supabase Pro | SOC 2 Type II | A1.2, A1.3 |
| Availability zone redundancy | GCP us-central1 | SOC 2 Type II | A1.1 |
| Secrets management | GCP Secret Manager | SOC 2 Type II | CC6.1, CC6.3 |
| DDoS protection | Cloudflare | SOC 2 Type II | CC6.6 |
| Payment processing (PCI) | Stripe | SOC 2 Type II · PCI DSS L1 | CC9.2 |
| Frontend hosting + edge delivery | Vercel | SOC 2 Type II · ISO 27001 | CC6.6 |
| Error tracking and uptime | Sentry | SOC 2 Type II | CC7.2, CC7.3 |
Every third party that touches your data.
A signed Data Processing Agreement is available to customers on request and lists all current subprocessors.
| Subprocessor | Purpose | Data accessed | Compliance |
|---|---|---|---|
| Google Cloud Platform | Cloud hosting, compute, storage, secrets | Customer CRM data (encrypted at rest) | SOC 2 Type II · ISO 27001 · ISO 27017 · ISO 27018 |
| Supabase Pro | Managed PostgreSQL database | Customer account and CRM data | SOC 2 Type II |
| Vercel | Frontend hosting | No direct customer data access | SOC 2 Type II · ISO 27001 |
| Cloudflare | CDN, DDoS protection, TLS termination, DNS | Request metadata only (IP, user-agent) | SOC 2 Type II · ISO 27001 |
| Stripe | Payment processing | Billing and payment data | SOC 2 Type II · ISO 27001 · PCI DSS L1 |
| Sentry | Error tracking and uptime monitoring | Error payloads and request context | SOC 2 Type II |
| Resend | Transactional email delivery | Email metadata (recipient, subject, send time) | Reviewed annually |
| PostHog | Product analytics (first-party events) | Product usage events | Reviewed annually |
Where we stand, framework by framework.
SOC 2 Type II
In progressAudit period begins Q4 2026. Type II report expected Q1 2027.
GDPR
ReadyReady. DPA available with Standard Contractual Clauses.
CCPA
ReadyCompliant as a service provider.
HIPAA
Out of scopeNot in scope. ax1om does not process PHI.
FERPA
Out of scopeNot in scope. ax1om does not process student records.
Need a DPA, a SOC 2 progress memo, or just have a question?
Request documentation, ask about our compliance posture, or submit a vulnerability report. We respond within one business day and acknowledge all good-faith security reports within two.