Trust & Security

Security Practices

Security is foundational to everything we build. This page documents the technical and organizational measures we use to protect your data and the systems we build for you.

SOC 2 Readiness

Our security practices are aligned with the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, Privacy). While we have not yet undergone a formal SOC 2 audit, we follow the same principles and controls. If your organization requires specific compliance documentation, please contact us and we'll work with your team.

Encryption in Transit & at Rest

All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). API keys, credentials, and sensitive configuration data are encrypted at rest. We never store passwords in plaintext.

Security Headers & Hardening

Every page served from axoxweb.com includes strict security headers: Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Strict-Transport-Security (HSTS), Referrer-Policy, and Permissions-Policy. We regularly scan our own site with WebSentry.

Infrastructure & Hosting

Our applications run on Cloudflare's global edge network with built-in DDoS protection, automatic SSL certificate management, and Web Application Firewall (WAF) rules. No single point of failure — traffic is distributed across 300+ data centers worldwide.

Access Controls

Access to production systems follows the principle of least privilege. All team members use multi-factor authentication (MFA). API keys are scoped per-service with automatic rotation policies. No shared credentials.

Data Minimization & Privacy

We collect only the data necessary to provide our services. Contact form submissions are retained for 12 months maximum. Analytics data is anonymized and auto-deleted after 14 months. We do not sell, trade, or share personal data with advertisers.

Incident Response

We maintain an incident response plan with defined severity levels and escalation procedures. In the event of a data breach, affected users will be notified within 72 hours in accordance with GDPR Article 33. Post-incident reviews are conducted to prevent recurrence.

Vendor & Third-Party Management

Third-party services (Cloudflare, Google Analytics) are vetted for security posture and data handling practices. All processors handling personal data operate under Data Processing Agreements (DPAs) with Standard Contractual Clauses for international transfers.

GDPR Compliance

We are fully GDPR compliant. Analytics cookies require explicit opt-in consent before activation. Users can exercise their rights (access, rectification, erasure, portability) by emailing us. Our complete privacy policy details all data practices.

Our Security Commitments

HTTPS/TLS encryption on all endpoints
HSTS with 1-year max-age and includeSubDomains
Content Security Policy (CSP) headers
No third-party cookies without explicit consent
Multi-factor authentication for all team access
Regular dependency audits and security patches
Principle of least privilege for system access
72-hour breach notification commitment
Data Processing Agreements with all vendors
Annual security self-assessments

Responsible Disclosure

If you discover a security vulnerability in any Axoxweb product or website, we encourage responsible disclosure. Please report it privately so we can address it before public disclosure.

Email: security@axoxweb.com

Response time: We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.

Scope: axoxweb.com, axoxhub.com, edgesubmit.com, websentry.dev, pxshot.dev, leadzap.dev