Trust Center
Everything a security buyer needs, in one place
Live service health, our compliance posture and control mappings, where your data lives, and the agreements to close a deal. A security product should prove its claims, so here is the evidence.
Some checks are degraded
Enterprise carries a 99.9% monthly uptime SLA with service credits. The status page has live per-component health and 90 days of history.
Compliance and frameworks
Governed activity is mapped to both the security frameworks a buyer audits against and the AI-governance standards regulators are writing. Every workspace can export an offline-verifiable evidence bundle.
EU AI Act
Article-level mapping for high-risk AI system obligations, with an exportable readiness pack.
Learn moreNIST AI RMF
Govern, Map, Measure, and Manage functions evidenced by your live governance configuration.
Learn moreISO/IEC 42001
AI management-system controls for operation, logging, human oversight, and data-flow control.
Learn moreAustralia AI6
The six-principle voluntary AI safety standard, mapped to accountability and transparency controls.
Learn moreSOC 2 and ISO 27001 control map
Each evidence-bundle artifact, mapped to the SOC 2 Trust Services Criteria and ISO/IEC 27001:2022 Annex A controls it helps evidence.
| Artifact | What it shows | SOC 2 | ISO 27001 |
|---|---|---|---|
| maturity/scorecard.* | Zero-Trust posture across identity, policy, response, audit | CC1.x, CC4.x | 5.1, 5.36 |
| integrity/signed-tree-head.json, checkpoints.json | Tamper-evident, append-only audit log sealed into a signed Merkle ledger | CC7.2, CC7.3 | 8.15, 8.16 |
| integrity/jwks.json | Public keys to verify the ledger signatures without trusting AxioRank | CC7.1 | 8.15 |
| governance/config.json | The enforced policy, detector, and response configuration as code | CC6.1, CC6.3 | 8.2, 8.3, 8.4 |
| access/access-review.json | Members, roles, MFA and SSO enforcement (access review) | CC6.1, CC6.2, CC6.3 | 5.15, 5.16, 5.18, 8.5 |
| retention/retention-and-siem.json | Data-retention policy and SIEM streaming destinations | CC7.2, C1.x | 8.15, 5.33 |
| activity/decision-summary.json | Governed-call decisions over the period (allow / deny / hold) | CC7.2 | 8.16 |
Our SOC 2 Type II engagement is in progress; the report will be available under NDA. Mappings speed the audit review; they are not a certification.
Provable security posture
Every governed decision seals into a tamper-evident Merkle ledger you can verify offline. SAML SSO, enforced MFA, role-based access, and scoped keys are built in.
Data and subprocessors
AxioRank runs on SOC 2 Type II attested providers (Vercel, Supabase), encrypted in transit and at rest, with deny-by-default row-level isolation per workspace. Customer data is stored in the United States.
Agreements and legal
Our DPA covers GDPR Article 28, UK GDPR, and Swiss FADP, with Standard Contractual Clauses for international transfers, plus a documented SLA.
Need a questionnaire completed or a report under NDA?
Security reviews, vendor questionnaires, the SOC 2 report, and penetration-test summaries are available to customers and prospects on request. Email agents@axiorank.com.