Security & Breach Notification

• Every released COA is sealed with Ed25519 over a SHA-384 digest of a canonical payload, plus per-signatory signatures (lab analyst, technical reviewer, lab director).
• All public keys are published as a JWKS at /.well-known/jwks.json; the exact recipe and a test vector are published so authenticity + integrity are verifiable offline by anyone, with no trust in Axiom required.
• Revocation and amendment are first-class: a pulled certificate reports state=revoked (verified:false) and fires a coa.revoked webhook, so relying parties can downgrade in real time.

• HTTPS everywhere with HSTS; X-Content-Type-Options, Referrer-Policy, and a framing CSP (frame-ancestors) on all responses.
• The embed surface is sandboxable: it needs only sandbox="allow-scripts" and resizes via postMessage — integrators do not need to grant allow-same-origin.
• Public read endpoints are rate limited per IP with standard RateLimit-*/Retry-After headers.
• The public payload is minimized: internal notes, validation notes, and internal identifiers are not exposed.

• API keys are hashed at rest (better-auth) and presented only once at creation.
• Webhook signing secrets are encrypted at rest with AES-256-GCM.
• Outbound webhook delivery is SSRF-guarded (https-only, DNS-resolved, private/loopback/link-local ranges rejected, no redirects, hard timeout) and HMAC-SHA256 signed.
• Private artifact storage (vial photos, logos) is served via short-lived presigned URLs, never public object URLs.

Please report suspected vulnerabilities to legal@axiomanalyticslab.com. We aim to acknowledge within 2 business days and to provide a remediation timeline after triage. Please give us a reasonable opportunity to remediate before public disclosure; we will not pursue good-faith research that respects user privacy and avoids service disruption.

If Axiom becomes aware of a security incident that compromises the confidentiality, integrity, or availability of your data, we will notify affected clients without undue delay and within 72 hours of confirmation, including (to the extent known): the nature and scope of the incident, the categories and approximate volume of data affected, the likely consequences, and the measures taken or proposed. Updates follow as the investigation progresses.

Axiom Analytics Labs LLC · legal@axiomanalyticslab.com