When you use flows, Axiom takes the following measures to protect sensitive data such as private keys:
  • Encrypted storage: Credentials are encrypted at rest in the database. Axiom uses strong, industry-standard encryption methods and follows best practices.
  • Per-entry encryption: Each credential is encrypted individually with its own unique key. This limits the potential impact if any single key is compromised.
  • Secure transit: Credentials are encrypted in transit between your browser/client and the Axiom API using TLS 1.2 or 1.3.
  • Internal encryption: Credentials remain encrypted within Axiom’s internal network.
  • Memory handling: When credentials are briefly held in memory (for example, when delivering payloads), Axiom relies on cloud infrastructure security guarantees and proper memory management techniques, including garbage collection.
  • Contextual encryption: Different uses of the same credentials use different encryption contexts. This adds an extra layer of protection.
  • Role-based access: Axiom uses role-based access control for key management without keeping any master keys that can decrypt customer data.
These measures ensure that accessing usable credentials is extremely difficult even in the highly unlikely event of a data breach. The individual encryption of each entry means that even if one is compromised, the others remain secure. For more information on Axiom’s security posture, see Security.