Legal & Data Handling

Privacy Policy for a security-first file platform.

AXFILE Security is designed around tenant isolation, auditable workflows, real-time inspection, and controlled storage. This policy explains how AXUM SEC handles metadata, security telemetry, OCR processing, and operational signals generated by the platform.

Effective date: March 9, 2026Controller: AXUM SECContact: security@axumsec.com

What We Collect

  • Tenant configuration data such as tenant identifiers, policy presets, rotation-policy settings, and API key inventory metadata.
  • Operational file metadata including filenames, MIME types, sizes, cryptographic hashes, scan verdicts, OCR extraction status, and approval state.
  • Administrative identity data such as user email addresses, roles, access timestamps, and audit context required for secure management.
  • Platform telemetry used to operate upload servers, OCR workers, security engines, storage services, and encryption schedulers in real time.

How We Use Information

  • To authenticate administrators, tenants, and collaborators and preserve tenant isolation across every request path.
  • To inspect uploads, run malware scanning, correlate security signals, and decide whether files are allowed, quarantined, sandboxed, or blocked.
  • To power OCR, search indexing, approvals, comments, activity feeds, and other workflow features that depend on extracted metadata.
  • To produce audit trails, health monitoring, and operational alerts that keep the backend reliable and accountable.

Confidential File Protection

  • Confidential uploads are encrypted at rest with tenant-scoped key management, including local keys and provider-backed KMS or HSM flows where configured.
  • Plaintext handling is minimized to the processing window required for upload completion, scanning, indexing, and encryption.
  • Version history, retention rules, and audit events may preserve metadata needed for compliance and traceability even after a working file changes.

Security Engines and Processors

  • OCR, malware scanning, and policy-enforcement workflows may use controlled internal or third-party processing components to protect the platform and customer data.
  • Those integrations are used only to deliver the service, improve security posture, and investigate abuse or incidents.
  • Access is limited to the minimum data necessary for storage, inspection, detection, and support operations.

Retention and Customer Responsibility

  • Customers remain responsible for ensuring they have the legal right to upload, process, and retain the information they submit.
  • Retention duration depends on tenant settings, archival policy, legal obligations, and incident-response needs.
  • If you need a DPA, residency commitment, or regulated deployment review, contact AXUM SEC before production rollout.