Security & Trust
AxonIR is an early-stage, founder-run platform. We don't hold enterprise security certifications, and we won't claim ones we don't have. What follows is a specific, current description of the data we collect, how it's protected, and what we're still building toward — so a procurement or security reviewer can evaluate us on facts, not marketing.
This page will be updated as our program matures. If anything here becomes inaccurate, treat that as a bug — email [email protected] and we'll correct it.
Data Handling
To operate an account, we store: your email address, a salted PBKDF2 hash of your password (never the password itself), your subscription plan, and the ticker(s) on your watchlist. That's the full extent of personal data tied to your login.
We do not store credit card or bank account numbers anywhere in our systems. Checkout, billing, and card storage are handled entirely by Stripe (see Payments below) — AxonIR's servers never receive or touch full card data.
The core of the AxonIR Score — SEC filings, EDGAR metadata, trading volume, press releases, public social mentions — is public-record and public-market data by nature. We are not a custodian of material non-public information, and the product does not require or accept any.
Application data (accounts, watchlists, scoring results) is stored in Cloudflare D1 (SQL) and Cloudflare KV (key-value cache), both operated by Cloudflare within its infrastructure — we don't run our own database servers.
Encryption & Authentication
All traffic to axonir.ai and our API is served over TLS at the Cloudflare edge. Every request — page loads, logins, API calls — is encrypted end-to-end between your browser and our servers.
Passwords are never stored in plain text. We use PBKDF2 with SHA-256 and a unique random salt per user — an industry-standard, one-way password hashing approach. A leaked database does not expose plain-text passwords.
Logged-in sessions use signed JWTs (HMAC-SHA256), scoped per account, with expiration built into every token. We also support token-version revocation — resetting your password invalidates any tokens issued before the reset, not just the ones you happen to be using.
Every API request is authenticated and scoped to the requesting account's own data (your watchlist, your reports, your plan). There is no shared or pooled customer data surface between accounts.
Our API responses set standard hardening headers — X-Content-Type-Options: nosniff, X-Frame-Options: DENY, a restrictive Content-Security-Policy, and Referrer-Policy: strict-origin-when-cross-origin — on every response.
AxonIR is built entirely on Cloudflare (Pages, Workers, D1, KV). Cloudflare's platform is independently certified to SOC 2 Type II, ISO 27001, and other frameworks — those certifications belong to Cloudflare as our infrastructure provider, not to AxonIR itself.
Payments
All checkout, subscription billing, and payment method storage are handled by Stripe. When you subscribe, you're entering your card details directly into Stripe's hosted checkout — that data goes to Stripe, not to AxonIR's servers. We receive only a subscription status and a Stripe customer/subscription reference, which is what lets your account reflect your plan.
Stripe is a PCI-DSS Level 1 certified payment processor. That certification is Stripe's, covering the payment flow — it does not mean AxonIR itself is PCI-certified, and because we never receive full card data, we are outside the scope of PCI-DSS as a merchant beyond following Stripe's integration requirements.
Responsible Disclosure
If you believe you've found a security vulnerability in AxonIR, please report it to [email protected]. Include enough detail to reproduce the issue — we're a small team and will investigate directly.
We ask that you give us reasonable time to address a confirmed issue before any public disclosure, and that you avoid accessing, modifying, or exfiltrating data beyond what's needed to demonstrate the vulnerability. We don't currently run a paid bug bounty program.
What We're Building Toward
As AxonIR grows past its early stage, the following are on our roadmap. None of these are in place today — we're flagging them here so evaluators know what to expect, and when to ask again.
A formal, external pen test has not yet been commissioned.
We do not hold a SOC 2 report today. A formal evaluation is a future consideration as the customer base and data footprint grow.
We currently handle security issues directly and promptly as a small team; a documented, staffed IR process is not yet formalized.
Compliance disclaimer: AxonIR is a pre-launch, early-stage, founder-operated SaaS product. We do not hold SOC 2, ISO 27001, HIPAA, or PCI-DSS certification, and nothing on this page should be read as a claim otherwise. Where we reference these frameworks above, we are describing certifications held by our infrastructure or payment vendors (Cloudflare, Stripe), not by AxonIR. This page describes our practices as of the date below and is not a warranty, contractual commitment, or legal representation. For vendor security questionnaires or DPAs, contact [email protected].