AAxel
Sign inRequest access
Security

Built so the on-call engineer sleeps through the night.

Webhook traffic carries some of the most sensitive data in your stack — payment events, identity changes, access grants. Axel is engineered like the systems your security team is already comfortable with.

Request security review Read the docs
What we promise

Six guarantees you can hold us to today.

Every item below is implemented and tested in the codebase — not aspirational. We'd rather under-promise and ship than ride a marketing slide deck.

Tokens never stored in plaintext

Source ingest tokens are stored as SHA-256 hashes. Validation is constant-time. Tokens are never written to logs or audit trails — only their hash prefix.

SHA-256

Payloads encrypted in transit & at rest

TLS 1.2+ on the edge. Cloudflare R2 encrypts every object at rest. ClickHouse logs are stored in customer-managed encryption keys when self-hosted.

TLS 1.2+

Sandboxed transform code

Customer route filters and transforms run in isolated Worker threads with V8 resource limits, 250ms wall-clock timeouts, and no network or filesystem access. Per-process semaphore prevents noisy-neighbor.

0 egress

Tenant isolation by workspace_id

Every Postgres row, ClickHouse partition, and queue message is keyed by workspace_id. The dashboard enforces workspace scope on every query — there's no path to read a sibling tenant's data.

every row

Bounded payload retention

Raw payloads in R2 are kept 30 days by default for replay. Logs in ClickHouse have a 30-day TTL. Customers on the Scale tier can extend or shorten retention.

30 days

Audit log on every privileged action

Workspace creation, member invites, role changes, source mutations and destination writes are all recorded with actor + timestamp in an append-only audit log.

append-only
Roadmap

The compliance work, sequenced honestly.

We'd rather you see the plan than a logo soup. Here's where the security work sits today, and where it's going next.

  • ShippedTLS edge, hashed tokens, sandboxed transforms, audit log
  • ShippedPer-source rate limits, body & depth caps, idempotent fan-out
  • In flightSecrets baseline & egress allow-list for destination connectors
  • Q3 2026SOC 2 Type I report (in observation now)
  • Q4 2026BYO-cloud option for regulated workloads
  • 2027SOC 2 Type II + ISO 27001

Have a security question?

We respond to security@axelapp.ai within one business day. Vulnerability reports get a same-day acknowledgement and a fix or mitigation timeline within 72 hours.

Email security@axelapp.ai Pricing