/ Security
Security Overview
Last updated: 3 July 2026
A plain summary of the security controls we operate for the Axiom Logic website and client portal, how to report a vulnerability, and how we handle incidents.
01
Overview
This page is maintained by AxiomLogic to answer common security questions about our website and client portal. It is not an independent certification or audit report. It describes the controls that are currently enabled in the Service; it does not describe every control we ever plan to enable, and it does not create additional legal obligations beyond those in our Terms of Service and Privacy Policy.
02
Hosting and platform
The Service is hosted on Lovable Cloud, which is built on Supabase infrastructure. Lovable Cloud provides our application runtime, database, storage and authentication layer. We inherit the platform-level controls those providers operate for their infrastructure and describe them factually here; we do not represent that we or the platform hold any specific certification unless separately stated in writing.
03
Authentication
Portal users sign in with email and password or with a Google account via OAuth. Passwords are handled by Supabase Auth and are never stored in plaintext. Session state is held in a first-party cookie/localStorage token issued by Supabase Auth and can be revoked at any time by signing out.
We encourage users to enable strong, unique passwords and to use their organisation's single sign-on where available via Google Workspace.
04
Access control
All tables that hold client data are protected by PostgreSQL Row Level Security. Policies restrict each row so that authenticated clients can read and write only their own records, and administrators (identified by a role stored in a dedicated user_roles table and checked by a security-definer function) can access the records they need to service the engagement. Roles are never stored on user-editable tables.
05
Document handling
Files uploaded to the portal are stored in a private storage bucket. Direct public access to the bucket is disabled; downloads are performed through short-lived signed URLs generated on demand for the authenticated owner or their accountant. Uploads are capped at 25 MB per file to protect the shared platform.
06
Encryption
All traffic to and from the Service is transported over HTTPS with TLS. Data at rest — database contents, uploaded documents and platform-managed backups — is encrypted by our hosting provider using industry-standard algorithms and provider-managed keys.
07
Backups and availability
Database backups are performed by our hosting platform on the schedule they publish for our plan. We monitor the health of the Service and rely on the platform's underlying redundancy for availability. We do not commit to a specific uptime percentage in these public materials; where formal service levels are needed, they are agreed in your engagement letter.
08
Reporting a vulnerability
If you believe you have found a security vulnerability in the Service, please report it responsibly to contact@axiomlogictech.com with enough detail for us to reproduce the issue. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate it.
We aim to acknowledge reports within three working days. We do not currently operate a paid bug-bounty programme, but we are grateful for responsible disclosure and will credit reporters on request.
09
Incident notification
Where a personal data breach affects your data and is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (and, where applicable, the relevant EU supervisory authority) within 72 hours of becoming aware of the breach, as required by UK and EU GDPR. We will also notify affected clients without undue delay where the breach is likely to result in a high risk to them.
11
Contact
Security questions, vulnerability reports and general correspondence: contact@axiomlogictech.com.