Last updated: January 2025

Table of Contents

🛡️ Overview

At Axilöck, security is fundamental to everything we do. As a company dedicated to preventing secret leaks and protecting sensitive data, we hold ourselves to the highest security standards.

Our Security Commitment

  • Protect customer data with enterprise-grade security controls
  • Maintain transparency about our security practices
  • Continuously improve our security posture
  • Respond promptly to security incidents and vulnerabilities

Zero-Trust Architecture

Axilöck operates on a zero-trust security model, where every access request is verified, encrypted, and monitored regardless of location or user credentials.

🔐 Data Security

Encryption

  • Data at Rest: All data is encrypted using AES-256 encryption
  • Data in Transit: TLS 1.2 encryption for all communications
  • Database Encryption: Full database encryption with rotating keys
  • Backup Encryption: All backups are encrypted and stored securely

Data Processing

  • Local processing: Code analysis happens on user machines when possible
  • Minimal data collection: We only collect data necessary for service functionality
  • Secure deletion: Data is securely deleted when no longer needed
  • Data segregation: Customer data is logically separated and isolated

Secret Detection Privacy

Axilöck's secret detection runs locally on your machine. Your source code never leaves your environment unless you explicitly choose cloud-based scanning.

🏗️ Infrastructure Security

Cloud Security

  • Multi-cloud architecture across AWS, Google Cloud, and Azure
  • Infrastructure as Code (IaC) with security scanning
  • Network segmentation and VPC isolation
  • Web Application Firewall (WAF) protection
  • DDoS protection and rate limiting

Security Monitoring

  • 24/7 security monitoring and alerting
  • Intrusion detection and prevention systems
  • Real-time threat intelligence integration
  • Comprehensive audit logging
  • Automated security scanning and vulnerability assessment

Container Security

  • Container image scanning for vulnerabilities
  • Runtime security monitoring
  • Minimal base images and regular updates
  • Kubernetes security hardening

🔑 Access Controls

Employee Access

  • Multi-factor authentication (MFA) required for all accounts
  • Role-based access control (RBAC) with principle of least privilege
  • Regular access reviews and deprovisioning
  • Hardware security keys for high-privilege accounts
  • Session monitoring and timeout policies

Customer Access

  • Single Sign-On (SSO) integration support
  • API key management with rotation capabilities
  • Granular permission controls
  • Session security and timeout management

Production Access

  • Just-in-time access for production systems
  • All production access logged and monitored
  • Separate development and production environments
  • Emergency access procedures with full audit trails

🔍 Vulnerability Management

Vulnerability Disclosure Program

  • Responsible disclosure process for security researchers
  • Bug bounty program for eligible vulnerabilities
  • Clear communication channels for security reports
  • Safe harbor provisions for ethical security research

Vulnerability Assessment

  • Regular penetration testing by third-party security firms
  • Automated vulnerability scanning of all systems
  • Code security reviews and static analysis
  • Dependency scanning for third-party libraries

Remediation Process

  • Critical vulnerabilities patched within 24 hours
  • High-severity issues addressed within 72 hours
  • Regular security updates and patch management
  • Post-remediation verification and testing

🚨 Incident Response

Incident Response Team

  • Dedicated security incident response team
  • 24/7 incident response capability
  • Clear escalation procedures and communication protocols
  • Regular incident response training and simulations

Response Timeline

  • Detection: Real-time monitoring and alerting
  • Assessment: Initial triage within 30 minutes
  • Containment: Immediate action to prevent spread
  • Communication: Customer notification within 4 hours for material incidents
  • Recovery: Service restoration with full monitoring
  • Post-Incident: Root cause analysis and improvement plans

Customer Communication

In the event of a security incident that may affect customer data, we commit to transparent and timely communication through our status page and direct customer notifications.

🔒 Data Privacy

Privacy by Design

  • Minimal data collection and retention policies
  • Purpose limitation for data processing
  • Customer data portability and deletion rights
  • Transparent privacy practices and policies

Data Subject Rights

  • Right to access personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to restrict processing

Data Retention

  • Clear data retention schedules
  • Automatic deletion of expired data
  • Customer-controlled data retention settings
  • Secure disposal of physical media

Security Questions?

Have questions about our security practices or need to report a security issue? Our security team is here to help.

Contact Security Team View Security Acknowledgments