An honest account of how
we handle your data.

AxonIR is an early-stage, founder-run platform. We don't hold enterprise security certifications, and we won't claim ones we don't have. What follows is a specific, current description of the data we collect, how it's protected, and what we're still building toward — so a procurement or security reviewer can evaluate us on facts, not marketing.

This page will be updated as our program matures. If anything here becomes inaccurate, treat that as a bug — email [email protected] and we'll correct it.

What we collect — and what we deliberately don't

🗂️ Customer account data

To operate an account, we store: your email address, a salted PBKDF2 hash of your password (never the password itself), your subscription plan, and the ticker(s) on your watchlist. That's the full extent of personal data tied to your login.

🚫 What we never store

We do not store credit card or bank account numbers anywhere in our systems. Checkout, billing, and card storage are handled entirely by Stripe (see Payments below) — AxonIR's servers never receive or touch full card data.

📄 The data we analyze is public

The core of the AxonIR Score — SEC filings, EDGAR metadata, trading volume, press releases, public social mentions — is public-record and public-market data by nature. We are not a custodian of material non-public information, and the product does not require or accept any.

🗄️ Where it lives

Application data (accounts, watchlists, scoring results) is stored in Cloudflare D1 (SQL) and Cloudflare KV (key-value cache), both operated by Cloudflare within its infrastructure — we don't run our own database servers.

Transport, storage, and session security

🔒 Encryption in transit

All traffic to axonir.ai and our API is served over TLS at the Cloudflare edge. Every request — page loads, logins, API calls — is encrypted end-to-end between your browser and our servers.

🔑 Password hashing

Passwords are never stored in plain text. We use PBKDF2 with SHA-256 and a unique random salt per user — an industry-standard, one-way password hashing approach. A leaked database does not expose plain-text passwords.

🎫 Session authentication

Logged-in sessions use signed JWTs (HMAC-SHA256), scoped per account, with expiration built into every token. We also support token-version revocation — resetting your password invalidates any tokens issued before the reset, not just the ones you happen to be using.

🧱 Per-account isolation

Every API request is authenticated and scoped to the requesting account's own data (your watchlist, your reports, your plan). There is no shared or pooled customer data surface between accounts.

🛡️ Baseline security headers

Our API responses set standard hardening headers — X-Content-Type-Options: nosniff, X-Frame-Options: DENY, a restrictive Content-Security-Policy, and Referrer-Policy: strict-origin-when-cross-origin — on every response.

☁️ Infrastructure provider

AxonIR is built entirely on Cloudflare (Pages, Workers, D1, KV). Cloudflare's platform is independently certified to SOC 2 Type II, ISO 27001, and other frameworks — those certifications belong to Cloudflare as our infrastructure provider, not to AxonIR itself.

SOC 2 Type II — Cloudflare (infra), not AxonIRISO 27001 — Cloudflare (infra), not AxonIR

We never touch your card number

All checkout, subscription billing, and payment method storage are handled by Stripe. When you subscribe, you're entering your card details directly into Stripe's hosted checkout — that data goes to Stripe, not to AxonIR's servers. We receive only a subscription status and a Stripe customer/subscription reference, which is what lets your account reflect your plan.

Stripe is a PCI-DSS Level 1 certified payment processor. That certification is Stripe's, covering the payment flow — it does not mean AxonIR itself is PCI-certified, and because we never receive full card data, we are outside the scope of PCI-DSS as a merchant beyond following Stripe's integration requirements.

PCI-DSS — Stripe (payment processor), not AxonIR directly

Found a problem? Tell us.

If you believe you've found a security vulnerability in AxonIR, please report it to . Include enough detail to reproduce the issue — we're a small team and will investigate directly.

We ask that you give us reasonable time to address a confirmed issue before any public disclosure, and that you avoid accessing, modifying, or exfiltrating data beyond what's needed to demonstrate the vulnerability. We don't currently run a paid bug bounty program.

Planned, not yet in place

As AxonIR grows past its early stage, the following are on our roadmap. None of these are in place today — we're flagging them here so evaluators know what to expect, and when to ask again.

Third-party penetration test

A formal, external pen test has not yet been commissioned.

Planned

SOC 2 Type II evaluation

We do not hold a SOC 2 report today. A formal evaluation is a future consideration as the customer base and data footprint grow.

Roadmap

Formal incident response program

We currently handle security issues directly and promptly as a small team; a documented, staffed IR process is not yet formalized.

Planned

Compliance disclaimer: AxonIR is a pre-launch, early-stage, founder-operated SaaS product. We do not hold SOC 2, ISO 27001, HIPAA, or PCI-DSS certification, and nothing on this page should be read as a claim otherwise. Where we reference these frameworks above, we are describing certifications held by our infrastructure or payment vendors (Cloudflare, Stripe), not by AxonIR. This page describes our practices as of the date below and is not a warranty, contractual commitment, or legal representation. For vendor security questionnaires or DPAs, contact [email protected].

Have a security questionnaire to send us?

We're a small team and answer these directly — send it to [email protected] and we'll get back to you with specifics.

Email [email protected] About AxonIR