Skip to main content
AXAxion Studio

Trust & security

Trust isn't a footnote. It's a feature.

Most AI content tools either skip provenance entirely or bury it in a help-doc. We made it core architecture: every asset signed, every output traced, every workspace isolated at the database layer.

C2PA-signed outputs

Every asset that ships through Axion Studio is signed via c2patool — Meta and TikTok read the signature; EU AI Act compliant out of the box. No additional configuration on your team's part.

IP indemnification (Enterprise)

We pass through the indemnification umbrellas from upstream providers (Vertex AI for Imagen / Veo / Gemini, Adobe for Firefly when used) and add our own ops-level coverage. Your legal team gets the full provenance chain for any asset that ships.

Workspace-scoped LoRAs

Postgres Row-Level Security on every domain table. Your LoRA, your reference set, your audit log can never leak to another workspace — it's enforced at the database layer, not just the application layer.

Training-data disclosure

Every asset gets a lineage record: which LoRA version, which prompt, which judge call, which reference photos contributed. Auditable, exportable, queryable from BigQuery.

Architecture

Built on Google Cloud, the boring secure way.

Cloud SQL Postgres 16
Private IP, automatic backups, PITR, query insights enabled. RLS on every domain table.
Secret Manager (GCP)
All API keys + tokens stored in Secret Manager. No secrets in code, env files in containers, or logs.
Multi-region (Phase 6)
us-central1 + europe-west1 dual-region by Week 16 for EU data-residency on Enterprise.
Identity Platform + Custom Claims
Firebase Auth with workspace_id custom claim. Server-side enforced; never trusted from the client.

Compliance

Where we are today.

Honest accounting — published, not implied. We update this page when status changes.

  • SOC 2 Type 1In scope — prep starts Week 15
  • C2PA provenanceLive in production
  • EU AI ActCompliant via C2PA + AI-label metadata
  • GDPR / DPADPA signable on Agency tier and above
  • SCIM 2.0 provisioningLive (Okta, Azure AD, Google Workspace)
  • SSO / SAMLLive (Enterprise tier)

Subprocessors list at /legal/subprocessors · DPA available on request via /contact

Reporting a vulnerability

Email security@axionminds.com. We acknowledge within one business day, triage within three, and disclose publicly via this page once a fix lands. We don't currently run a paid bug bounty but will credit you in the disclosure if you'd like.