Axari Data Security & Privacy Practices

Effective: 5 November 2025

This document describes Axari’s current data security and privacy practices and is provided for transparency purposes. It does not create contractual obligations unless expressly incorporated into a written agreement. Capitalized terms not defined here have the meanings set forth in Axari’s Terms of Service.

1. Purpose

This policy defines how Axari Technologies, Inc. (“Axari,” “we,” “us”) protects data across its platforms, services, and internal operations.

It outlines the technical and organizational safeguards used to protect:

  • Customer data
  • Internal business data
  • Logs, telemetry, and AI artifacts (including prompts, context, outputs, and embeddings)

2. Scope

This policy applies to:

  • Axari’s products, APIs, agentic workflows, and hosted services
  • Axari-controlled production, staging, and development environments
  • Axari employees, contractors, and approved partners with access to Axari systems

3. Data Classification

Axari classifies data into the following categories:

  • Public

    • Marketing pages, public documentation, and blog content.
    • No restrictions, subject to internal review and approval.

  • Internal

    • Internal communications, internal documentation, and non-public roadmaps.
    • Shared only within Axari unless explicitly approved.

  • Confidential

    • Customer configuration data, user accounts, non-public business data, contracts, and billing information.
    • Access is restricted to authorized personnel on a need-to-know basis.

  • Highly Confidential

    • Customer secrets (e.g., API keys, tokens), sensitive prompts and context, vulnerability data, credentials, and encryption keys.
    • Protected using the strongest controls, including encryption, strict access controls, and audit logging.

Each Axari system and data store maps its data to one of these categories.

4. Core Data Handling Principles

  1. Least Privilege & Need-to-Know

    • Access is granted only when required for a role and removed when no longer needed.
    • Default access is denied unless explicitly approved.

  2. Environment Segregation

    • Production, staging, and development environments are logically separated.
    • Production data is not copied into non-production environments unless anonymized or pseudonymized and access is restricted and logged.

  3. Multi-Tenancy Isolation

    • Customer data is logically isolated at the application and data layers using tenant-aware controls.
    • Any cross-tenant access for support or debugging requires explicit authorization and is logged.

  4. Data Minimization

    • Axari collects and processes only the data necessary to deliver services and meet legal obligations.
    • Data collection and telemetry are periodically reviewed to remove unnecessary fields.

5. Data Storage & Encryption

  • Encryption at Rest

    Confidential and Highly Confidential data is encrypted at rest using industry-standard encryption (e.g., AES-256), including managed cloud storage and databases.

  • Encryption in Transit

    Data is encrypted in transit using TLS (TLS 1.2 or higher) for external and internal communications.

  • Key Management

    Encryption keys are managed using industry-standard key management services.
    Access to keys is restricted, logged, and rotated based on operational and security requirements.

6. Identity & Access Management

  1. Authentication

    Access to Axari systems uses strong authentication mechanisms (e.g., SSO, OAuth).
    Administrative access requires multi-factor authentication.

  2. Authorization

    Role-based access controls (RBAC) are applied across infrastructure, internal tools, and application administration.

  3. Access Lifecycle

    Access is provisioned on hire, modified on role change, and revoked upon departure.
    Critical access is periodically reviewed.

7. Application & Infrastructure Security

  1. Secure Development Practices

    • Code changes are peer-reviewed
    • CI/CD pipelines include automated security checks where appropriate
    • Secrets are stored in secure secret management systems, not in source code

  2. Vulnerability & Patch Management

    Systems and dependencies are patched based on risk and severity.
    Security findings are tracked and remediated according to internal priorities.

  3. Network Security

    Production systems are protected by network controls such as firewalls, security groups, and gateways.
    Administrative access is restricted and protected by secure channels.

  4. Logging & Monitoring

    Security-relevant events are logged and monitored.
    Logs are retained based on security, operational, and legal requirements and avoid storing full secrets.

8. Data Retention & Deletion

  1. Retention

    Data retention periods vary by data type and are informed by operational, legal, and contractual requirements.

  2. Deletion

    Upon contract termination or approved deletion requests:

    • Customer data is deleted or anonymized within defined timelines
    • Backups expire or are removed according to backup retention policies, where feasible

9. Backup & Recovery

Axari performs regular encrypted backups of critical systems.
Recovery objectives are defined internally, and restoration procedures are periodically tested.

10. Third-Party Services & Subprocessors

Axari uses third-party service providers to support its operations.

  1. Providers handling sensitive data undergo security review
  2. Data processing locations are documented
  3. Data Processing Agreements are executed where required
  4. Vendors are contractually required to notify Axari of relevant security incidents

11. Endpoint & Workspace Security

  1. Company-managed devices use disk encryption, secure authentication, and up-to-date operating systems
  2. Storing Highly Confidential data locally is discouraged
  3. Remote access to sensitive systems uses secure authentication and access controls

12. AI & Agentic Platform Security

Because Axari is an agentic AI platform, additional safeguards apply:

  1. Prompt & Context Isolation

    Each customer’s prompts, context, and outputs are logically isolated.
    Axari does not permit cross-tenant data mixing without explicit customer authorization.

  2. Tool & Credential Controls

    Access to external systems (e.g., email, ticketing, cloud tools) is scoped per tenant.
    Credentials are stored securely and are never logged.

  3. Model Training

    • By default, Axari does not use customer data to train foundation models unless:
      • The customer explicitly opts in, and
      • The use is documented and communicated

  4. Telemetry & Observability

    AI telemetry, logs, and feedback are treated as Confidential or Highly Confidential depending on content and are governed by the same safeguards as customer data.

13. Incident Response

Axari maintains an internal incident response process for detecting, investigating, and remediating security incidents.

If an incident involves customer data:

  • Axari will notify affected customers without undue delay, consistent with legal and contractual requirements
  • Root cause and corrective actions are documented and tracked

14. Roles & Responsibilities

  1. Founders / Security Owner: Own and maintain this policy
  2. Engineering: Implement and maintain technical controls
  3. Operations & Support: Follow access and escalation procedures
  4. All Personnel: Complete security awareness training and follow this policy

15. Review & Updates

This policy is reviewed periodically and updated as Axari’s services, systems, or regulatory obligations evolve. Any material changes will be reflected on this page.