Legal
At Lost Boy Graphics, security is not an afterthought — it is a foundational design principle of the Axelis platform. We process sensitive data on your behalf: AI conversation histories, OAuth tokens granting access to your social media accounts, Google Suite data, and more. We take the responsibility of protecting that data seriously.
This Security Policy describes the technical and organizational measures we have implemented to protect your data. We are transparent about our current security posture and our roadmap for continued improvement.
Data is encrypted in transit using TLS and at rest using AES-256. No unencrypted sensitive data leaves our systems.
Internal access to user data is limited to personnel who require it for their job function. All access is logged.
We monitor our systems for anomalous activity, security events, and potential breaches around the clock.
Security is considered at every stage of the software development lifecycle, from design through deployment.
All communication between your device and the Axelis platform — and between Axelis and its service providers — is encrypted in transit using industry-standard protocols:
All HTTP requests to axelis.ai and its subdomains are automatically redirected to HTTPS. HSTS headers prevent browsers from making non-encrypted connections. Our HSTS policy includes the includeSubDomains and preload directives.
All API calls between Axelis and third-party providers (Anthropic, OpenAI, Supabase, Stripe, Google APIs, social platform APIs) are made exclusively over TLS-encrypted connections. We verify SSL certificates for all outbound connections and reject invalid or self-signed certificates.
Data stored by Axelis is encrypted at rest using AES-256, which is the same encryption standard used by government agencies and financial institutions worldwide.
Our primary database (Supabase/PostgreSQL) uses transparent data encryption (TDE) at the storage level. Encryption keys are managed by Supabase's key management infrastructure and are not stored alongside the data they encrypt.
User-generated content (images, video files, documents) stored in object storage is encrypted at rest using AES-256. Access to stored objects requires authenticated, time-limited signed URLs.
All database backups are encrypted using the same AES-256 standard before being stored. Backup storage is isolated from the primary data environment and is access-restricted.
Particularly sensitive data fields — including OAuth access tokens, refresh tokens, and API keys stored on behalf of users — are encrypted at the application layer using AES-256 in addition to the database-level encryption, providing defense in depth. This means the data is encrypted twice: once at the application layer and once at the storage layer.
Axelis integrates with numerous third-party APIs. Proper management of API keys and secrets is critical to platform security.
If users provide their own API keys for certain integrations, those keys are:
OAuth access and refresh tokens for connected accounts (Twitter, Google, Meta, etc.) are treated as highly sensitive credentials:
Axelis relies on a carefully selected set of third-party providers. We evaluate each provider's security posture before integration and maintain data processing agreements with all providers who handle personal data.
| Provider | Role | Key Security Features |
|---|---|---|
| Supabase | Database & Authentication | SOC 2 Type II, AES-256 at rest, TLS in transit, row-level security policies, GDPR-compliant |
| Stripe | Payment Processing | PCI-DSS Level 1, tokenized card data, fraud detection, never shares raw card data |
| Anthropic | AI Inference (Claude API) | Enterprise-grade security, data processing agreements, no training on API data by default |
| OpenAI | AI Inference | SOC 2 Type II, data processing agreements, enterprise data privacy protections |
| Replicate | Image/Video Generation | Encrypted transit, data processed in secure containers, model outputs not shared across users |
| RunwayML | AI Video Generation | TLS encryption, enterprise data handling terms available |
| Google Cloud | OAuth Provider / API | ISO 27001, SOC 2/3, FIPS 140-2 encryption, comprehensive audit logging |
We conduct periodic reviews of our third-party providers' security documentation, compliance certifications, and data processing agreements. If a provider's security posture materially degrades, we will evaluate alternatives.
All state-changing API endpoints require CSRF tokens. We use SameSite cookie attributes and Origin header validation to provide additional layers of CSRF protection.
We implement strict Content Security Policy headers to limit the sources from which the Axelis web application can load resources, reducing the risk of cross-site scripting and data injection attacks.
API endpoints are rate-limited to prevent abuse, credential stuffing, and denial-of-service attacks. Rate limits are applied per IP address and per authenticated user account.
We welcome security researchers who identify potential vulnerabilities in the Axelis platform. We are committed to working with the security community to make Axelis safer for everyone.
If you believe you have found a security vulnerability in Axelis:
Email elijahgreen@lostboygraphics.com with the subject line "Security Vulnerability Report." Include a clear description of the vulnerability, steps to reproduce, and the potential impact.
We ask for a minimum of 90 days to investigate and remediate the issue before public disclosure. We will acknowledge your report within 5 business days and keep you informed of our progress.
During your testing, do not access, modify, delete, or exfiltrate other users' data. Test only with accounts you own. Do not perform denial-of-service testing or social engineering attacks.
We will coordinate with you on the timing and content of any public disclosure. We will credit you for your discovery (unless you prefer to remain anonymous).
In Scope: axelis.ai and all subdomains, Axelis mobile applications, Axelis API endpoints. Out of Scope: Third-party services we use (Supabase, Stripe, Google, etc.) — report those directly to those providers. Social engineering, physical security attacks, and denial-of-service testing are also out of scope.
We do not currently offer a monetary bug bounty program, but we do offer our sincere thanks, public credit (if desired), and a commitment to treat all good-faith reporters with respect. We will not pursue legal action against researchers who follow these responsible disclosure guidelines.
We maintain an incident response plan for security events. Our response process follows industry best practices:
| Phase | Activities | Timeline |
|---|---|---|
| Detection & Triage | Identify and confirm the incident, assess severity and scope, activate response team | Within 1 hour of detection |
| Containment | Isolate affected systems, revoke compromised credentials, implement emergency controls to limit damage | Within 4 hours of detection |
| Eradication | Identify and eliminate root cause, remove malicious artifacts, patch vulnerabilities exploited | Within 24–72 hours |
| Recovery | Restore affected systems from clean backups, verify integrity, gradually restore services | Based on incident severity |
| Notification | Notify affected users and, where required by law, relevant regulatory authorities | Within 72 hours of confirmed breach (GDPR requirement) |
| Post-Incident Review | Root cause analysis, documentation, process improvements, prevention of recurrence | Within 2 weeks of resolution |
In the event of a security incident that affects your personal data, we will notify you via email at your registered address within 72 hours of confirming the breach (or as required by applicable law). Our notification will include:
As a growing company, our compliance posture reflects our current size and the trajectory of our security program:
| Standard / Framework | Status | Notes |
|---|---|---|
| GDPR (EU Data Protection) | Active | Privacy Policy, Data Processing Agreements, and data subject rights processes in place |
| CCPA / CPRA (California) | Active | Consumer rights request processes implemented |
| Meta Platform Data Policy | Active | Data deletion instructions URL and user data handling requirements met |
| OWASP Security Practices | Active | Development practices aligned with OWASP Top 10 |
| SOC 2 Type I | In Progress | Targeted for 2026. We are building toward SOC 2 readiness, including evidence collection and control implementation. |
| SOC 2 Type II | Aspirational | Target: 2027. Full audit covering a minimum 6-month observation period. |
| ISO 27001 | Aspirational | Long-term goal aligned with enterprise customer requirements. |
Enterprise customers who require specific compliance documentation, security questionnaires, or penetration test reports should contact elijahgreen@lostboygraphics.com. We will provide available documentation under NDA where applicable.
For security-related inquiries, vulnerability reports, or security documentation requests:
For general privacy and data protection inquiries (not security vulnerabilities), refer to our Privacy Policy contact section.
We take all security reports seriously and will acknowledge your message within 5 business days. Our security team is committed to investigating and addressing all credible reports promptly.