Security & Trust

    Security & Trust

    Last updated: June 10, 2026

    Overview

    AxisBeam Labs operates User Story Composer with a security-first posture. This page summarises the technical and organisational measures we use to protect your data. For a signed copy or to complete a vendor security questionnaire, email support@axisbeamlabs.com.

    Data Protection

    • In transit: All traffic is encrypted with TLS 1.2+ (HTTPS only).
    • At rest: Customer data is encrypted at rest (AES-256) by our managed cloud provider.
    • Secrets: API keys and credentials are stored in a managed secret store, never in source code.

    Tenant Isolation

    The platform is multi-tenant. Tenant data is isolated at the database layer using PostgreSQL Row-Level Security (RLS). Every query is scoped to the authenticated user and, where applicable, their organisation. Cross-tenant access is prevented by policy, not by application code alone.

    Authentication

    • Email + password sign-in with industry-standard password hashing.
    • Google OAuth single sign-on.
    • Sessions issued as short-lived JWTs with refresh-token rotation.
    • Email verification required before access to paid features.

    SAML SSO (Okta, Azure AD, etc.) is available on request for Business/Enterprise customers.

    AI & Data Handling

    User Story Composer uses generative AI to draft user stories. We are an AI-using product, not an AI company — we do not host, fine-tune, or train our own models.

    • Model & provider: Google Gemini, accessed via the Lovable AI Gateway.
    • Training opt-out: Prompts and generated outputs are not used to train Google's foundation models. The Gemini API is contractually distinct from the consumer Gemini chat product, where free-tier conversations may be used for training.
    • What is sent to the model: only the prompt fields you type (brief, persona, optional context). No other stories, no other tenants' data, and no database contents are included in the request.
    • What is stored: your prompt and the generated story, written to your account's row in our database under the same RLS isolation that protects all other customer data.
    • Retention: stories persist until you delete them or close your account. Account deletion requests are honoured within 30 days.
    • No cross-tenant learning: each AI call is stateless. The model has no memory of other users, other accounts, or prior sessions.

    Data flow

    Browser  ──TLS──►  Our backend (Lovable Cloud)  ──TLS──►  Google Gemini API
                          │                                     │
                          │◄────── generated story ─────────────┘
                          ▼
                   Your account's DB row
                  (RLS-isolated, AES-256 at rest)

    Guidance on sensitive data

    The AI does not need real values to produce a good story. Please do not paste raw PII, PHI, payment card numbers, secrets, or other regulated data into prompts. Use placeholders such as [customer name], [account number], or[patient ID] — the generated story will read just as well, and your sensitive values stay out of the AI request path entirely.

    Access Control

    Role-based access control with three roles — user, organisation admin, and platform sysadmin — is enforced by a dedicated user_roles table and security-definer functions. Roles are never derived from client-supplied state.

    Audit Logging

    Sensitive actions (sign-ins, role changes, subscription changes, admin operations) are recorded in an append-only app_events log with user, timestamp, and contextual metadata. Logs are retained for at least 12 months.

    Infrastructure & Sub-processors

    ProviderPurposeRegion
    Lovable Cloud (Supabase / AWS)Application hosting, database, authentication, storageEU / US
    PaddlePayments, subscription management, tax compliance (Merchant of Record)Global
    ResendTransactional email deliveryEU / US
    Google (Gemini API)AI inference for story generationGlobal

    Backups & Recovery

    • Managed daily backups of the production database.
    • Point-in-time recovery available within the retention window.
    • Recovery procedures are reviewed periodically.

    Vulnerability Management

    • Automated dependency scanning on every change; high/critical advisories are remediated promptly.
    • Database security linter run against schema and RLS policies.
    • Edge functions and frontend code reviewed before deployment.

    Incident Response

    If we become aware of a personal-data breach affecting your data, we aim to notify affected customers within 72 hours of confirmation, with a description of the incident, data involved, and remediation steps. Report a suspected security issue to support@axisbeamlabs.com.

    Compliance Roadmap

    • GDPR-aligned processing — see our Privacy Policy and DPA.
    • SOC 2 Type 1 — planned.
    • Vendor security questionnaires — completed on request for Business/Enterprise customers.

    Contact

    Security questions, questionnaires, or DPA requests: support@axisbeamlabs.com