Security & Compliance

Last updated: 28 May 2026

Posture summary

Hyperaxis is designed for regulated-industry buyers. Every architectural decision favours auditability, tamper-evidence, and clear data-handling boundaries. This page describes the posture today and the live roadmap. We update it as controls land.

Hosting and data residency

The public landing page (hyperaxis.co.uk) is statically hosted on Vercel, EU region. The Hyperaxis product itself runs on Microsoft Azure Container Apps with Supabase Postgres and Upstash Redis as managed PaaS dependencies. Customer-data residency choices: UK South (London) or West Europe (Netherlands). Once selected per tenant, no customer audit data leaves the chosen region.

Cryptographic controls

Signing keys live in Azure Key Vault. Production uses ECDSA P-256 today; Ed25519 via Managed HSM is on the roadmap once revenue funds the upgrade.
Audit chain uses Nexuscone (open source, Apache 2.0) as the substrate. Each entry carries a SHA-256 hash chained to the previous entry. The chain is signed and periodically anchored to public infrastructure (Bitcoin via OpenTimestamps and RFC 3161 timestamp authorities).
Public verification at verify.hyperaxis.co.uk does not require an account. Anyone can verify a published record's chain and signature using only the public anchor and the published verifier code.

Network and transport

TLS 1.2 minimum on every public endpoint. TLS 1.3 preferred. HSTS with one-year max-age and preload directive.
Strong content-security policy on every page; frame-ancestors restricted to none.
X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers set on every static response.

Access controls

Single-sign-on via Microsoft Entra ID and Google Workspace planned for v1.0; email-and-passkey supported throughout the design-partner programme.
Tenant isolation at the database row level with explicit policies; no cross-tenant data flow possible by construction.
Audit-log access requires the role mode (Auditor / Compliance / Engineer) granted to the user; principals are recorded on the same chain as the records they read.

Compliance roadmap

Framework	Status	Target
ICO registration (UK Data Controller)	In progress	Q2 2026
UK GDPR / Data Protection Act 2018	Designed for	Continuous
EU AI Act, Article 12 (audit logging)	Designed for	Enforced 2 August 2026
FCA SS1/23 (model risk management)	Designed for	Continuous, UK FS tenants
SOC 2 Type II	In scope	v1.5 (post first paying customer)
ISO/IEC 42001 (AI management system)	Mapping in progress	v1.5
NHS DSPT v8	Designed for	Continuous, NHS tenants
NIST AI RMF	Designed for	Continuous, US tenants

Vendor and supply chain

Primary platform: Microsoft Azure. Database: Supabase (Postgres). Cache: Upstash (Redis). Email: Resend (transactional) and ImprovMX (forwarding). Source control: GitHub (private repositories under the aperintel organisation). All vendors are evaluated for sub-processor handling, data-residency commitments, and breach-notification clauses before integration.

Backup and recovery

Postgres backups run daily with point-in-time recovery for 30 days, plus a weekly snapshot held for 90 days. The audit chain itself is reconstructable from raw entries plus the published anchor proofs, so even total loss of operational data is recoverable by replay from chain.

Incident response

Security incidents are reported to security@aperintel.com. We acknowledge within one business day. Severe incidents that affect customer audit integrity are disclosed to affected tenants within seventy-two hours and are themselves written as audit events to the same chain, ensuring the response is tamper-evident.

Responsible disclosure

If you find a security issue, please follow our Responsible Disclosure guidelines. We commit to fixing critical issues within 30 days of triage and to giving public credit to researchers who report in good faith.

Contact

Security questions: security@aperintel.com. PGP public key available on request. General questions: hyperaxis@aperintel.com.