Most of our security posture comes from one simple rule: your stuff stays on your accounts. We are a one-person studio, so the smaller our blast radius the better — both for you and for us.
Code and infrastructure
- Code is committed to your repository (GitHub, GitLab, Bitbucket), not ours. You own every line.
- Infrastructure (Vercel, AWS, GCP, Modal, Temporal, etc.) is provisioned on your accounts. We do not run anything on your behalf from accounts you cannot revoke.
- Secrets (API keys, model credentials, database URLs) live in your secret manager. We never check secrets into source control.
Access
- We request the minimum access needed to do the job — usually a named user with scoped permissions, not a shared service account.
- Access is revoked at the end of an engagement. If we forget, please revoke us — we expect you to.
- We use a password manager (1Password) and hardware-backed 2FA (a YubiKey) on every account that supports it.
Client data
- We avoid copying production data to local machines. When we have to, it gets a synthetic or anonymised dataset where possible.
- Local laptops are full-disk encrypted (FileVault) with a strong passphrase and auto-lock.
- We do not retain client data after the engagement ends, unless it is part of an artefact we are contractually required to keep (for example, a documented runbook).
AI model use
- We use foundation models from providers with no-train, no-retain business agreements (e.g. Anthropic, OpenAI under their zero data retention tiers when handling sensitive data).
- For sensitive workflows we prefer self-hosted or VPC-deployed models.
- We do not feed your private data into our own personal accounts or general-purpose chat tools.
Transport and storage
- This site is served over HTTPS. The contact form posts to a serverless route over TLS.
- We use Resend (TLS in transit) for transactional email.
- We do not store contact-form submissions outside of email.
Reporting an issue
If you believe you have found a security issue with this site, a workflow we have built for you, or anything else under our control, please email info@axelai.com.au with the words "security" in the subject line. We will acknowledge within 24 hours (Brisbane time, M–F) and work with you on a fix and disclosure timeline.
We do not currently run a paid bug-bounty program, but we will credit good-faith researchers in our public changelog if you want to be named.