Security at LendAxiom.
Loan officers handle borrower PII every day. Here is exactly what we do to keep that data isolated, encrypted, audited, and recoverable.
Encryption
Every connection between your browser, our API, and the database runs over TLS 1.2+. Database storage is encrypted at rest by DigitalOcean's managed Postgres service. Sensitive integration credentials (Twilio auth tokens, SendGrid API keys, Google OAuth refresh tokens) are stored in the settings table; the application layer hashes any credential value flagged sensitive before it lands in the audit log.
Multi-tenant isolation
Every database query in the application filters by your organization_id. That filter is enforced at the repository layer, not at the route layer, so a route bug cannot accidentally leak another tenant's data. We run a dedicated test suite that tries every endpoint with org A's session and org B's identifiers and asserts every attempt fails. New endpoints get added to that suite as part of code review.
Audit logging
Every business operation an AI agent or admin tool runs goes through an action layer that writes a row to action_audit_log with the actor, the action, the target, the result, and a correlation ID that ties the row back to the original request. That gives us a single source of truth for "what happened in this org" that we can query during support requests or incident reviews.
Migration safety
A migration drift guard runs at every server boot and at every deploy gate. It refuses to start the server if a previously-applied migration's content hash has changed, which catches the "I edited a migration after it shipped" footgun before it touches production data.
Backups and rollback
A pre-deploy database backup runs on the production droplet before every deploy. If a deploy goes wrong we have a documented rollback procedure and a tested restore path. We have used it.
Data deletion
You can delete any lead, conversation, or user from your workspace at any time. Cancelling your subscription archives your workspace data; on request we will purge it completely within 30 days.
Account compromise
We rate-limit login attempts per account and per IP. Failed-login counters persist across deploys so an attacker cannot reset them by waiting for our next push. Bearer tokens (when used) live in a capped LRU so a token-fuzzing attack cannot exhaust server memory.
For the legal language, see our Terms and Privacy Policy. Questions? Email [email protected].