How we protect your data · 2026

Security at AXLUMA.

Your business data is sensitive. The AI employees we build often touch the most sensitive parts. Here’s how we look after it.

Encryption

Every connection between your browser, our infrastructure, and the AI employees we build uses TLS 1.2 or higher. Data at rest is encrypted with AES-256 across all storage layers we operate.

Access control

Two-factor authentication is enforced on every internal account that can reach client data or production deployments. Production secrets are rotated quarterly and on personnel changes. Engineers access only the projects they’re assigned to.

Isolation per client

Each client’s AI employees run in their own isolated environment with their own credentials. They cannot read or write data outside the integrations we explicitly granted them. Every action on production systems is logged with full audit trail.

AI processing

Conversations with the AI employees we build are sent to our enterprise AI infrastructure provider over an encrypted channel. Your data is not retained by the provider beyond the request, and is never used to train any model. Where required (HIPAA, financial services), we deploy through a zero-data-retention configuration. A current list of subprocessors is available on request and as part of the DPA we sign at engagement kickoff.

Compliance

We sign DPAs and BAAs as a matter of course. We’re happy to complete your security questionnaire and meet with your security team during procurement. SOC 2 Type II report is on the roadmap for the second half of 2026.

Backups

Project artifacts (prompts, code, configurations) are backed up daily and retained for 30 days. Backups are encrypted at rest and isolated from production access.

Operational practices

  • Production deployments require code review and a passing test suite.
  • Application logs are retained for 90 days and reviewed weekly for anomalies.
  • Incident response runbook is rehearsed quarterly.
  • Annual penetration test on the studio’s infrastructure.

Incident response

If a security incident affects a client’s data, we notify the client within 24 hours of confirming the breach, with a written summary of what happened, what data was involved, and what we’re doing in response. Where required by law, we’ll also notify the relevant supervisory authority within statutory deadlines.

Reporting a vulnerability

Found something concerning on our site or in a deployed AI employee you’re testing? Write to security@axluma.com. We acknowledge every responsible report and credit researchers in our changelog with permission.

This page describes our intent and current practice. Specific certifications (SOC 2, ISO 27001, HIPAA BAAs) are roadmapped where indicated, not yet issued. Ask us about timelines if your organisation requires one before signing on.