Axiomatic

Encryption

Field-level encryption protects all sensitive financial data, PII, and transaction payloads at rest.

Overview

Axiomatic encrypts all sensitive financial data at rest using AES-256-GCM encryption. Data is encrypted before it reaches the database and decrypted only when accessed by authorized users. The database never stores plaintext for protected fields.

What's Encrypted

Axiomatic uses field-level encryption, meaning individual columns are encrypted rather than entire databases. Encrypted fields fall into four categories:

Secrets

  • Tax IDs
  • Bank access tokens and credentials

Personal Information (PII)

  • Contact names and email addresses
  • Social security numbers and EINs
  • Beneficiary details
  • Ownership percentages

Financial Amounts

All monetary values are encrypted, including:

  • Journal entry amounts and memos
  • Invoice and bill amounts
  • Payment amounts
  • Line item quantities and unit prices
  • Treasury balances
  • Capital activity amounts
  • NAV snapshots

Content

  • Event payloads (the full JSON body of each financial event)
  • AI conversation messages

How It Works

Axiomatic uses an envelope encryption scheme with two layers of keys:

  1. Master Key — a single key that protects all other keys. It's stored securely outside the database and never touches your data directly.

  2. Data Encryption Keys (DEKs) — each entity gets its own unique encryption key. The DEK is encrypted (wrapped) by the Master Key before storage, so even a database breach doesn't expose it.

When data is written:

  • The entity's DEK is retrieved and unwrapped in memory
  • Each sensitive field is encrypted with a fresh random initialization vector
  • The ciphertext is stored in the database

When data is read:

  • The DEK is unwrapped and cached briefly in memory
  • Encrypted fields are decrypted transparently before being returned

Each encryption operation uses a unique random value, so the same data encrypts to different ciphertext every time — an attacker cannot determine if two encrypted values are identical.

Searching Encrypted Data

Since encrypted fields can't be searched with standard database queries, Axiomatic uses blind indexes for searchable fields like journal memos. Each word in a memo is hashed and stored alongside the encrypted data, enabling whole-word search without exposing the plaintext to the database.

Limitations of blind index search:

  • Searches match whole words only (e.g. "payroll" matches, but "payro" does not)
  • No fuzzy or partial matching
  • Case-insensitive

Key Rotation

Keys can be rotated without downtime:

  • Master Key rotation — re-wraps all DEKs with the new Master Key. Since only the wrapping changes, encrypted data doesn't need to be re-encrypted.
  • DEK rotation — generates a new DEK for an entity and re-encrypts all of its data. Used if a key is suspected of being compromised.

Cryptographic Erasure

For data deletion requests (such as GDPR right-to-erasure), Axiomatic supports cryptographic erasure. By destroying an entity's DEK, all encrypted data for that entity becomes permanently unrecoverable — without needing to delete individual database rows. This satisfies data erasure requirements while preserving the structural integrity of the ledger.

Reconciliation

Previous Page

Compliance & Security

GDPR compliance, audit logging, multi-tenant isolation, and data residency.

On this page

OverviewWhat's EncryptedSecretsPersonal Information (PII)Financial AmountsContentHow It WorksSearching Encrypted DataKey RotationCryptographic Erasure