Compliance & Security
GDPR compliance, audit logging, multi-tenant isolation, and data residency.
Overview
Axiomatic is designed for SOC 2 Type II certification and GDPR compliance. The platform provides multi-tenant data isolation, tamper-evident audit logging, field-level encryption, and configurable data residency.
Multi-Tenant Isolation
Every tenant receives a dedicated, isolated database. Your data never shares storage with other tenants.
Key properties:
- Database-per-tenant — each tenant gets its own Postgres database
- Row-level security — defense-in-depth policies prevent cross-entity data access within a tenant
- Request routing — every API request is verified and routed to the correct tenant database
- Access control — team members can only access tenants they've been explicitly granted access to
GDPR Compliance
Data Export (Right of Access — Article 15)
Request a full export of all entity data, including decrypted financial records and personal information. All exports are logged as compliance events.
POST /api/compliance/data-export
{ "entityId": "your-entity-id" }Data Erasure (Right to Erasure — Article 17)
Request anonymization or erasure of entity data. Two modes are available:
- User mode — anonymizes the user's personal information
- Tenant mode — destroys the entity's encryption key, rendering all encrypted data permanently unrecoverable, and anonymizes all PII
POST /api/compliance/data-erasure
{ "entityId": "your-entity-id", "mode": "user" }Cryptographic erasure satisfies Article 17 while preserving ledger integrity — journal entries still exist and balance, but contain only undecryptable ciphertext.
Consent Management (Article 7)
Track consent grants and revocations for data processing purposes:
- Data processing
- AI analysis
- Marketing
- Analytics
- Third-party sharing
POST /api/compliance/consent
{ "purpose": "AI_ANALYSIS", "granted": true, "tenantId": "your-tenant-id" }All consent actions are recorded with timestamps for audit purposes.
Audit Logging
Axiomatic maintains a tamper-evident audit log using cryptographic hash chaining. Each log entry includes a SHA-256 hash computed from the entry content and the previous entry's hash, creating a verifiable chain.
This means:
- Any modification to a past log entry breaks the hash chain
- Chain integrity can be verified at any time
- All significant actions are recorded: data access, modifications, exports, erasures, and administrative changes
Data Residency
You can specify where your data is stored geographically:
- US East (us-east-2)
- EU West (eu-west-1)
- Asia Pacific (ap-southeast-1)
Your database is provisioned in the chosen region, and cross-border data transfers are logged as compliance events.
POST /api/compliance/residency
{
"tenantId": "your-tenant-id",
"requiredRegion": "eu-west-1",
"legalBasis": "GDPR Article 46 — Standard Contractual Clauses"
}Session Security
- Sessions expire after 8 hours of inactivity
- All authentication tokens have matching expiration
- Automated access reviews flag inactive users (90+ days without activity)
Tenant Lifecycle
| Phase | What Happens |
|---|---|
| Signup | User account created, dedicated database provisioned in chosen region |
| Active | Normal operation — all API routes resolve to your isolated database |
| Team growth | Invited team members get scoped access to specific entities |
| Suspension | Read-only mode — no new data can be written |
| Offboarding | Data export → encryption key destruction → database deletion |
Every lifecycle event is recorded in the compliance log.