Security & Compliance

Coaxiom is built for developers and enterprises who need reliable, auditable inference price intelligence. This page documents our security posture, compliance certifications, data handling practices, and how to reach us for security inquiries.

Security questions: [email protected]
Coaxiom is a pre-revenue, early-stage company founded in 2026. We are transparent about our current certification status. We are building toward SOC 2 Type I and investing in compliance infrastructure from day one — not bolting it on later.

Certification Status

Current compliance certifications and roadmap. We publish our status transparently — we do not claim certifications we have not yet completed.

SOC 2 Type I Planned

Targeting Q4 2026. We are building compliance controls and internal policies in preparation for a SOC 2 Type I audit. An auditor has not yet been engaged. This page will be updated when the audit process commences.

SOC 2 Type II Planned

Follows Type I completion. Covers the full 6-month observation period per AICPA standards.

ISO 27001 Planned

Target: 2027, following SOC 2 Type II completion. ISMS framework will be scoped alongside SOC 2 controls.

GDPR Compliant

Data Processing Agreement (DPA) available on request. Data processed on EU-eligible infrastructure with Standard Contractual Clauses.

HIPAA Upon Request

Business Associate Agreement (BAA) available for healthcare customers. Contact [email protected] to request.

PCI DSS N/A

Coaxiom does not store, transmit, or process payment card data. All billing is handled by Stripe (PCI DSS Level 1 certified).

Data Security

Encryption in transit and at rest is enforced across all Coaxiom systems and third-party infrastructure.

Data in Transit

  • TLS 1.2+ enforced on all connections — older protocols rejected
  • HTTPS-only — HTTP connections automatically redirected
  • Cloudflare edge encryption between clients and origin
  • Modern cipher suites only — no RC4, DES, or export ciphers
  • HSTS headers enforced with long max-age

Data at Rest

  • AES-256 encryption via Supabase (PostgreSQL on AWS)
  • Database backups encrypted using the same key management
  • Encryption keys managed by Supabase — not accessible to Coaxiom application code
  • Storage volumes encrypted at the infrastructure layer
  • No unencrypted data stores in use

Infrastructure

Coaxiom is built entirely on third-party infrastructure providers that maintain their own compliance certifications. We do not operate physical hardware.

Provider Purpose Certifications
Netlify Serverless functions, CDN, static hosting
SOC 2 Type II
Supabase PostgreSQL database, authentication, row-level security
SOC 2 Type II HIPAA (Enterprise)
Cloudflare DNS, CDN, DDoS protection, WAF, edge encryption
SOC 2 Type II ISO 27001
Stripe Payment processing and subscription billing
PCI DSS Level 1 SOC 2 Type II
Google Workspace Email ([email protected]), internal collaboration
SOC 2 Type II ISO 27001
All infrastructure providers maintain active SOC 2 Type II certifications. Coaxiom does not manage its own servers, data centers, or physical hardware.

Access Controls

Principle of least privilege is enforced at every layer — from the database to the API to internal tooling.

  • Role-based access control (RBAC) — users can only access their own data. Row-Level Security (RLS) enforced at the Supabase/PostgreSQL layer — not just application code.
  • API keys scoped per user — each key is tied to a single account. Keys are revocable instantly from the dashboard without affecting other users or services.
  • Service role credentials never exposed client-side — Supabase service role keys are only used in serverless function environments (Netlify Functions), never in browser-executed JavaScript.
  • MFA available on all admin accounts — multi-factor authentication is enabled on all internal admin accounts including Supabase, Netlify, Cloudflare, and Google Workspace.
  • Zero standing access (planned) — internal tools will require authentication via Cloudflare Access, eliminating persistent privileged access to production systems.
  • Security event notifications — users receive email alerts for API key creation, revocation, and new device sign-ins.

Incident Response

We maintain documented incident response procedures with defined SLAs for detection, escalation, and customer notification.

24h
P1 Response SLA
15m
Anomaly Detection
72h
User Notification (GDPR Art. 33)
  • P1 security incidents — 24-hour SLA from detection to initial response
  • Automated anomaly detection — runs every 15 minutes across API access patterns and authentication events
  • Breach notification — affected users notified within 72 hours of confirmed incident, per GDPR Article 33
  • Incident logcoaxiom.io/status (coming soon)
  • Security contact[email protected]

Vulnerability Disclosure

We operate a responsible disclosure policy and welcome security research. We commit to acting quickly on valid reports.

  • Report vulnerabilities — email [email protected] with a detailed description and reproduction steps
  • PGP key — available upon request for encrypted communications
  • Acknowledgment SLA — we commit to acknowledge all valid reports within 48 hours
  • Remediation SLA — critical vulnerabilities remediated within 7 days of confirmation
  • Bug bounty — no formal bounty program at this stage. We offer acknowledgment and CVE credit for responsible disclosures
  • Safe harbor — good-faith security research conducted under this policy will not result in legal action
Please do not publicly disclose vulnerabilities before we have had a chance to remediate. Coordinated disclosure protects all users.

Data Handling

Coaxiom collects the minimum data needed to operate the service. We do not collect or store the content of inference requests routed through the API.

Category What We Collect / Don't Collect
Account data Email address, hashed password (via Supabase Auth), account creation timestamp
API usage logs Endpoint called, model slug, provider, token counts, latency, timestamp, API key identifier (not the key itself)
Billing data Stripe customer ID, subscription tier, invoice history — we never see or store card numbers
Prompt/message content Not collected. We do not log, store, or inspect the content of inference requests routed through the API.
Training data Not collected. Your usage data is never used to train models or shared with third parties for that purpose.
Retention — usage logs Raw usage logs retained for 90 days, then aggregated and anonymized. Aggregated data may be retained indefinitely for analytics.
Retention — account data Deleted within 30 days of an account deletion request. Email [email protected] to request deletion.

GDPR

Coaxiom is committed to GDPR compliance. If you are an EU/EEA data subject or customer, the following applies.

  • Data Controller Coaxiom LLC. Contact: [email protected]
  • Legal Basis Contract performance (Art. 6(1)(b)) for core service delivery; legitimate interest (Art. 6(1)(f)) for security monitoring and fraud prevention
  • Data Processing Agreement DPA available at coaxiom.io/dpa. To request a countersigned copy, email [email protected] with your legal entity name and Coaxiom account email. Returned within 5 business days.
  • Data Subject Rights You have the right to access, rectify, erase, and port your personal data. Submit requests to [email protected] — we respond within 30 days.
  • EU Data Transfers Standard Contractual Clauses (SCCs) applied where personal data is transferred from the EU/EEA to the United States
  • Infrastructure Region Supabase database hosted on AWS. EU region available for enterprise customers — contact us to configure.
  • Data Breach Notification Affected users notified within 72 hours of a confirmed breach per GDPR Article 33. Supervisory authority notified as required.

Contact

Route your inquiry to the right team for fastest response.

Security
[email protected]

Vulnerability reports, security incidents, PGP key requests

Compliance & Privacy
[email protected]

DPA requests, GDPR inquiries, HIPAA BAA, data deletion requests

Legal
[email protected]

Legal matters, subpoenas, law enforcement requests

For enterprise security reviews, vendor questionnaires, or custom compliance requirements, email [email protected] with the subject line "Security Review" and we will respond within 2 business days.

Last updated: May 2026 · Coaxiom LLC · [email protected]