Security

How we handle your stuff

Most of our security posture comes from one simple rule: your stuff stays on your accounts. We are a one-person studio, so the smaller our blast radius the better — both for you and for us.

Code and infrastructure

  • Code is committed to your repository (GitHub, GitLab, Bitbucket), not ours. You own every line.
  • Infrastructure (Vercel, AWS, GCP, Modal, Temporal, etc.) is provisioned on your accounts. We do not run anything on your behalf from accounts you cannot revoke.
  • Secrets (API keys, model credentials, database URLs) live in your secret manager. We never check secrets into source control.

Access

  • We request the minimum access needed to do the job — usually a named user with scoped permissions, not a shared service account.
  • Access is revoked at the end of an engagement. If we forget, please revoke us — we expect you to.
  • We use a password manager (1Password) and hardware-backed 2FA (a YubiKey) on every account that supports it.

Client data

  • We avoid copying production data to local machines. When we have to, it gets a synthetic or anonymised dataset where possible.
  • Local laptops are full-disk encrypted (FileVault) with a strong passphrase and auto-lock.
  • We do not retain client data after the engagement ends, unless it is part of an artefact we are contractually required to keep (for example, a documented runbook).

AI model use

  • We use foundation models from providers with no-train, no-retain business agreements (e.g. Anthropic, OpenAI under their zero data retention tiers when handling sensitive data).
  • For sensitive workflows we prefer self-hosted or VPC-deployed models.
  • We do not feed your private data into our own personal accounts or general-purpose chat tools.

Transport and storage

  • This site is served over HTTPS. The contact form posts to a serverless route over TLS.
  • We use Resend (TLS in transit) for transactional email.
  • We do not store contact-form submissions outside of email.

Reporting an issue

If you believe you have found a security issue with this site, a workflow we have built for you, or anything else under our control, please email info@axelai.com.au with the words "security" in the subject line. We will acknowledge within 24 hours (Brisbane time, M–F) and work with you on a fix and disclosure timeline.

We do not currently run a paid bug-bounty program, but we will credit good-faith researchers in our public changelog if you want to be named.

Last reviewed: 1 May 2026