Security Control Matrix
Security reviewers usually need a direct answer before they read a compliance mapping: which concrete controls does AxonFlow provide, and which ones are not available yet?
This page is the control-first view. Compliance mappings come after the controls because a framework table is only credible when the underlying feature is explicit.
Control Summary
| Control area | Status | What AxonFlow provides | Primary docs |
|---|---|---|---|
| Tenant isolation | Provided where applicable | Hosted multi-tenant deployments use PostgreSQL Row-Level Security with FORCE ROW LEVEL SECURITY on customer-data tables. Self-hosted single-tenant deployments do not require the same isolation boundary unless AXONFLOW_DB_USE_APP_ROLE=true is enabled. | Trust Center |
| Customer-controlled deployment | Provided | Self-hosted and In-VPC deployment options where model calls and operational customer data stay inside the customer's boundary. | Deployment Mode Matrix |
| Telemetry opt-out | Provided | Heartbeat telemetry can be disabled in self-hosted deployments with AXONFLOW_TELEMETRY=off. | Telemetry |
| Encryption in transit | Provided | TLS for external traffic. Internal service traffic should run inside the deployment's private network boundary unless the customer adds service-mesh or internal TLS. | Trust Center |
| Encryption at rest | Provided with configuration | RDS encryption plus AES-256-GCM encryption for stored provider credentials when CONNECTOR_ENCRYPTION_KEY is configured. Production deployments should configure this key; development deployments can fall back to plaintext storage. | Trust Center |
| Secrets management | Provided | Production deployments typically source database credentials, provider keys, JWT secrets, and CONNECTOR_ENCRYPTION_KEY from AWS Secrets Manager or an equivalent customer-managed secret store. | Trust Center |
| Programmatic authentication | Provided | SDK and API traffic use Basic auth with tenant-scoped client credentials; plugin and license flows also use Ed25519-signed license keys. | SDK Authentication |
| Portal identity | Enterprise | Portal sessions use JWT-backed authentication; Enterprise adds SSO, SAML, SCIM, custom roles, and portal workflows for larger organizations. | Identity Overview |
| Runtime policy enforcement | Provided | PII detection, SQL injection scanning, custom policies, policy hierarchy, and enforcement actions. | Security Overview |
| HITL approvals | Evaluation / Enterprise | Approval queues and workflow pauses for policy decisions that require human review. | HITL Approval Gates |
| Audit evidence | Provided | Decision IDs, evaluated policies, verdicts, scoped identity, timestamps, and trace correlation. | Audit Logging |
| Evidence export | Evaluation / Enterprise | Structured exports for audit and compliance review. | Evidence Export |
| Policy simulation | Evaluation / Enterprise | Dry-run simulation and impact reports before policy rollout. | Policy Simulation |
| Source review | Provided | Source-available BSL 1.1 repository for implementation inspection; private enterprise materials are shared through the appropriate customer review path. | Community vs Enterprise |
| SOC 2 / ISO 27001 | Not certified yet | AxonFlow does not currently hold SOC 2 or ISO 27001 certification. | Trust Center |
Security Review Evidence To Collect
For a serious security review, collect evidence in this order:
- Deployment mode and data boundary: self-hosted, In-VPC, Community SaaS, Evaluation, or Enterprise.
- Authentication model: SDK credentials, portal SSO, SCIM provisioning, and admin-key separation.
- Policy surfaces: system policies, tenant policies, custom policies, and override permissions.
- Runtime surfaces: gateway mode, proxy mode, WCP, MAP, MCP governance, or Decision Mode.
- Audit trail: decision IDs, trace IDs, evaluated policies, retention, and export path.
- Telemetry settings: whether heartbeat telemetry is enabled or disabled.
- Certification posture: current absence of SOC 2 and ISO 27001, plus compensating review options such as source inspection and customer-controlled deployment.
How To Use This Matrix
Use this matrix before filling out a questionnaire. It keeps answers grounded in product behavior instead of broad compliance language.
For example:
- If a questionnaire asks whether AxonFlow is SOC 2 certified, answer no.
- If it asks whether customer data can stay inside the customer's infrastructure, answer based on deployment mode.
- If it asks whether audit evidence exists, point to decision IDs, evaluated policies, scoped identity, retention, and export behavior.
- If it asks whether AxonFlow is a compliance certification product, answer no; it provides controls and evidence that support a compliance program.
