Security

How AXIS Protects Assessment Data

AXIS is built on the premise that a measurement platform's credibility rests on its integrity controls. This page summarizes the platform's security model in plain language. A detailed remediation history is maintained internally and made available to partners on request.

Server-authoritative scoring

All scoring runs server-side against the canonical question bank. Question content, weights, and foundational-control flags are never trusted from the client, so a tampered browser cannot mint an inflated score. Every result is signed (HMAC-SHA256) over the scores AND the scoring context — bank version, content hash, algorithm version.

Version-pinned, reproducible results

Question banks are immutable and content-hashed; published versions are write-protected at the database layer. Every assessment records exactly which bank and algorithm produced it and replays bit-for-bit — results cannot be silently rewritten by later content changes.

Tenant isolation

Partner data is scoped by tenant on every route, with database Row-Level Security policies deployed as a second enforcement layer. Consultant review data is only reachable through authenticated, tenant-checked endpoints.

Hardened report rendering

PDF generation runs with JavaScript disabled and network access blocked except for explicitly validated assets; all client-supplied text is escaped at the render sink; logo URLs are SSRF-checked (DNS-resolved against private ranges). The renderer runs as a non-root user with recycled browser instances and hard render timeouts.

Abuse controls

Per-IP rate limiting on public scoring and every report-generation route; strict Content-Security-Policy, HSTS, and frame-ancestors none; the admin sign-in gate cannot create accounts or be used to enumerate them.

Data minimization & consent

Benchmark aggregation uses only assessments with explicit consent, applies one-organization-one-vote deduplication, and withholds any cross-organization cell with fewer than five contributors. Analytics tags default to denied consent (Google Consent Mode v2).

Auditability

Administrative and assessment events are recorded in an append-only audit log with database triggers preventing modification. Reports print their full provenance (methodology version, bank hash, algorithm version, benchmark evidence basis) on the cover.

Remediation posture

The platform underwent a comprehensive internal security review and hardening pass in June 2026 covering authentication, tenant scoping, score integrity, report rendering, and abuse controls. All critical and high findings from that review are remediated; defense-in-depth items are tracked to completion on a public-roadmap basis.

Found something? Report security issues to the contact on the methodology page — reports are acknowledged, investigated, and credited.