Security Policy
Last updated: March 9, 2026
1. Security Practices
AxeLedger is built with security as a foundational principle. Our security practices include:
Encryption
- All data in transit is encrypted via TLS/HTTPS.
- HTTP Strict Transport Security (HSTS) headers are enforced to prevent protocol downgrade attacks.
- Session data is encrypted at rest in production environments.
- Sensitive fields (webhook secrets, API credentials) are encrypted using application-level encryption.
Security Headers
- X-Content-Type-Options: Prevents MIME-type sniffing.
- X-Frame-Options: Prevents clickjacking by disallowing framing.
- Referrer-Policy: Controls referrer information sent with requests.
- Permissions-Policy: Restricts browser feature access.
CSRF Protection
All state-changing requests are protected with CSRF tokens, verified on every form submission and AJAX request.
CORS Policy
Cross-Origin Resource Sharing is restricted to explicitly allowed origins configured per environment. No wildcard origins are permitted.
2. Authentication & Sessions
- Password hashing: All passwords are hashed using bcrypt with a secure cost factor. We never store plaintext passwords.
- Email verification: All new accounts must verify their email address before gaining full access to the Service.
- Session encryption: Production sessions are encrypted, using secure cookies with the SameSite=Strict attribute.
- Session management: Sessions are invalidated on password change and logout.
3. Entity Isolation Architecture
AxeLedger's multi-entity architecture provides complete data isolation between entities:
- Every database query for entity-scoped resources (accounts, transactions, bills, invoices, contacts, etc.) is automatically filtered by the current entity's ID.
- Entity context is established via secure middleware that validates the user's membership in the requested entity through a pivot table.
- All validation rules for entity-owned resources include entity-scoped existence checks, preventing cross-entity data references.
- Service-layer methods enforce entity scoping on all lookups, ensuring that direct ID access cannot bypass entity boundaries.
- Users can only access entities they have been explicitly invited to and accepted membership in.
4. Role-Based Access Control
AxeLedger implements granular role-based access control at two levels:
Entity Roles
Each user's access within an entity is governed by one of five roles:
| Role | Permissions |
|---|---|
| Owner | Full control including billing management and entity deletion. |
| Admin | Full access to all features except billing management. |
| Accounting | Create and edit transactions, bills, and invoices. View accounts and generate reports. No user or settings management. |
| Reporting | Read-only access to all data including reports. Cannot create or modify records. |
| Viewer | Basic read-only access. Cannot access reports. |
Platform Roles
- Super Admin: Can manage user accounts and override subscriptions for support purposes. Cannot see user financial data; all monetary values are redacted during View As sessions. All actions are logged in an immutable audit trail.
- User: Standard user operating within their subscription tier's limits.
5. API Security
- Authentication: API access requires authenticated bearer tokens with each request.
- Rate limiting: All API routes are rate-limited to prevent abuse.
- Ability whitelists: API tokens are issued with explicit ability scopes from a predefined whitelist. Wildcard abilities are not permitted.
- Token expiration: API tokens automatically expire and must be periodically regenerated.
- Entity scoping: All API requests are scoped to the authenticated user's entities. Cross-entity access is not possible through the API.
6. Webhook Security
Outgoing Webhooks
- All outgoing webhook payloads are cryptographically signed using a per-webhook secret.
- Webhook secrets are encrypted at rest and hidden from API serialization.
- Webhooks are automatically deactivated after repeated consecutive delivery failures to prevent abuse.
- All webhook deliveries are logged with status codes and response times.
Incoming Webhooks
- All incoming webhook signatures are verified using timing-safe comparison before processing.
- Third-party webhook payloads are validated against their respective provider's signing mechanism.
- All incoming webhooks are processed asynchronously to prevent timing attacks.
7. Payment Security
PCI Compliance
AxeLedger never stores, processes, or transmits credit card numbers, CVVs, or raw bank account details. All payment processing is handled entirely by Stripe, a PCI Level 1 certified payment processor.
- We only store opaque Stripe identifiers (customer ID, subscription ID) to manage billing relationships.
- These identifiers are hidden from model serialization and API responses.
- Subscription checkout and management are handled through Stripe's hosted pages (Checkout and Customer Portal).
- All subscription changes are logged in an auditable plan changes table.
8. AI Security
- Self-hosted infrastructure: All AI processing runs on our self-hosted infrastructure. No user data is ever transmitted to third-party AI providers.
- No BYOK: We do not allow users to provide their own API keys or configure external AI endpoints, preventing SSRF attacks and data exfiltration.
- Output sanitization: All AI-generated responses are sanitized before rendering to prevent XSS attacks. Dangerous HTML tags are stripped from AI output.
- Credit metering: AI usage is metered per user per month, preventing abuse and ensuring fair resource allocation.
- Entity isolation: AI processing respects entity boundaries. AI features can only access data within the user's current entity.
9. Automated Security Audits
We maintain a continuous security posture through:
- Automated dependency vulnerability scanning across all application packages.
- Static code analysis to detect common security vulnerabilities.
- Regular review of access controls, validation rules, and authorization logic.
- Monitoring of authentication events, failed login attempts, and suspicious activity patterns.
- Immutable audit logging of all administrative actions.
10. Responsible Disclosure
We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you discover a security issue in AxeLedger, please report it to us privately:
Security Reports
Email: security@voidworxlabs.com
Our responsible disclosure guidelines:
- Please provide sufficient detail for us to reproduce and verify the vulnerability.
- Allow us a reasonable time (at least 90 days) to address the issue before public disclosure.
- Do not access, modify, or delete other users' data during your research.
- Do not perform denial-of-service attacks or otherwise disrupt the Service.
- We will acknowledge receipt of your report within 48 hours and provide regular updates on our progress.
11. SOC 2 Compliance
VoidWorx Labs is committed to achieving and maintaining SOC 2 Type II compliance. Our compliance program encompasses:
- Security: Protection against unauthorized access through encryption, access controls, and monitoring.
- Availability: Service uptime commitments and disaster recovery procedures.
- Processing Integrity: Ensuring data processing is complete, accurate, and authorized.
- Confidentiality: Protection of confidential information throughout its lifecycle.
- Privacy: Collection, use, retention, and disposal of personal information in accordance with our Privacy Policy.
12. Penetration Testing
We are committed to regular penetration testing of the AxeLedger platform:
- Third-party penetration tests are conducted on a regular basis.
- Testing covers the full application stack including web application, API endpoints, authentication flows, and infrastructure.
- Findings are prioritized and remediated based on severity.
- Critical and high-severity findings are addressed within defined SLAs.
- Retesting is performed to verify that remediation is effective.
Related policies: