Security & Compliance
Coaxiom is built for developers and enterprises who need reliable, auditable inference price intelligence. This page documents our security posture, compliance certifications, data handling practices, and how to reach us for security inquiries.
Certification Status
Current compliance certifications and roadmap. We publish our status transparently — we do not claim certifications we have not yet completed.
Targeting Q4 2026. We are building compliance controls and internal policies in preparation for a SOC 2 Type I audit. An auditor has not yet been engaged. This page will be updated when the audit process commences.
Follows Type I completion. Covers the full 6-month observation period per AICPA standards.
Target: 2027, following SOC 2 Type II completion. ISMS framework will be scoped alongside SOC 2 controls.
Data Processing Agreement (DPA) available on request. Data processed on EU-eligible infrastructure with Standard Contractual Clauses.
Business Associate Agreement (BAA) available for healthcare customers. Contact [email protected] to request.
Coaxiom does not store, transmit, or process payment card data. All billing is handled by Stripe (PCI DSS Level 1 certified).
Data Security
Encryption in transit and at rest is enforced across all Coaxiom systems and third-party infrastructure.
Data in Transit
- TLS 1.2+ enforced on all connections — older protocols rejected
- HTTPS-only — HTTP connections automatically redirected
- Cloudflare edge encryption between clients and origin
- Modern cipher suites only — no RC4, DES, or export ciphers
- HSTS headers enforced with long max-age
Data at Rest
- AES-256 encryption via Supabase (PostgreSQL on AWS)
- Database backups encrypted using the same key management
- Encryption keys managed by Supabase — not accessible to Coaxiom application code
- Storage volumes encrypted at the infrastructure layer
- No unencrypted data stores in use
Infrastructure
Coaxiom is built entirely on third-party infrastructure providers that maintain their own compliance certifications. We do not operate physical hardware.
| Provider | Purpose | Certifications |
|---|---|---|
| Netlify | Serverless functions, CDN, static hosting | |
| Supabase | PostgreSQL database, authentication, row-level security | |
| Cloudflare | DNS, CDN, DDoS protection, WAF, edge encryption | |
| Stripe | Payment processing and subscription billing | |
| Google Workspace | Email ([email protected]), internal collaboration |
Access Controls
Principle of least privilege is enforced at every layer — from the database to the API to internal tooling.
- Role-based access control (RBAC) — users can only access their own data. Row-Level Security (RLS) enforced at the Supabase/PostgreSQL layer — not just application code.
- API keys scoped per user — each key is tied to a single account. Keys are revocable instantly from the dashboard without affecting other users or services.
- Service role credentials never exposed client-side — Supabase service role keys are only used in serverless function environments (Netlify Functions), never in browser-executed JavaScript.
- MFA available on all admin accounts — multi-factor authentication is enabled on all internal admin accounts including Supabase, Netlify, Cloudflare, and Google Workspace.
- Zero standing access (planned) — internal tools will require authentication via Cloudflare Access, eliminating persistent privileged access to production systems.
- Security event notifications — users receive email alerts for API key creation, revocation, and new device sign-ins.
Incident Response
We maintain documented incident response procedures with defined SLAs for detection, escalation, and customer notification.
- P1 security incidents — 24-hour SLA from detection to initial response
- Automated anomaly detection — runs every 15 minutes across API access patterns and authentication events
- Breach notification — affected users notified within 72 hours of confirmed incident, per GDPR Article 33
- Incident log — coaxiom.io/status (coming soon)
- Security contact — [email protected]
Vulnerability Disclosure
We operate a responsible disclosure policy and welcome security research. We commit to acting quickly on valid reports.
- Report vulnerabilities — email [email protected] with a detailed description and reproduction steps
- PGP key — available upon request for encrypted communications
- Acknowledgment SLA — we commit to acknowledge all valid reports within 48 hours
- Remediation SLA — critical vulnerabilities remediated within 7 days of confirmation
- Bug bounty — no formal bounty program at this stage. We offer acknowledgment and CVE credit for responsible disclosures
- Safe harbor — good-faith security research conducted under this policy will not result in legal action
Data Handling
Coaxiom collects the minimum data needed to operate the service. We do not collect or store the content of inference requests routed through the API.
| Category | What We Collect / Don't Collect |
|---|---|
| Account data | Email address, hashed password (via Supabase Auth), account creation timestamp |
| API usage logs | Endpoint called, model slug, provider, token counts, latency, timestamp, API key identifier (not the key itself) |
| Billing data | Stripe customer ID, subscription tier, invoice history — we never see or store card numbers |
| Prompt/message content | Not collected. We do not log, store, or inspect the content of inference requests routed through the API. |
| Training data | Not collected. Your usage data is never used to train models or shared with third parties for that purpose. |
| Retention — usage logs | Raw usage logs retained for 90 days, then aggregated and anonymized. Aggregated data may be retained indefinitely for analytics. |
| Retention — account data | Deleted within 30 days of an account deletion request. Email [email protected] to request deletion. |
GDPR
Coaxiom is committed to GDPR compliance. If you are an EU/EEA data subject or customer, the following applies.
- Data Controller Coaxiom LLC. Contact: [email protected]
- Legal Basis Contract performance (Art. 6(1)(b)) for core service delivery; legitimate interest (Art. 6(1)(f)) for security monitoring and fraud prevention
- Data Processing Agreement DPA available at coaxiom.io/dpa. To request a countersigned copy, email [email protected] with your legal entity name and Coaxiom account email. Returned within 5 business days.
- Data Subject Rights You have the right to access, rectify, erase, and port your personal data. Submit requests to [email protected] — we respond within 30 days.
- EU Data Transfers Standard Contractual Clauses (SCCs) applied where personal data is transferred from the EU/EEA to the United States
- Infrastructure Region Supabase database hosted on AWS. EU region available for enterprise customers — contact us to configure.
- Data Breach Notification Affected users notified within 72 hours of a confirmed breach per GDPR Article 33. Supervisory authority notified as required.
Contact
Route your inquiry to the right team for fastest response.
DPA requests, GDPR inquiries, HIPAA BAA, data deletion requests
Last updated: May 2026 · Coaxiom LLC · [email protected]