Last Updated: April 2026
AXE Technologies builds AXIOM on the principle that true security comes from sovereignty. This page describes the security architecture, practices, and policies that protect AXIOM deployments. We are a Canadian company and our security posture reflects a zero-trust, privacy-first philosophy.
When your data never leaves your infrastructure, entire categories of attack vectors disappear. There are no cloud APIs to breach, no vendor databases to compromise, no third-party tokens to leak, and no supply chain of SaaS providers to audit. Your AI stack runs on your metal, under your control. AXIOM is designed to operate fully air-gapped if required — no internet connection necessary after initial setup.
AXIOM follows zero-trust principles throughout. No component implicitly trusts another. Every inter-service request is authenticated. Every node in the fleet must prove its identity before participating in inference or data exchange. There is no privileged internal network — even traffic between machines on the same LAN is encrypted and authenticated.
AXIOM uses AuthGate, a push-based authentication system built by AXE Technologies. There are no passwords to steal, no tokens stored in databases, and no OAuth flows through external providers. Authentication requests are pushed to your verified device for approval. Session management uses HttpOnly cookies with Secure and SameSite=Strict flags, and sessions expire after a configurable inactivity period. There is no password reset flow because there are no passwords.
All inter-node communication within the fleet is encrypted via WireGuard tunnels using modern cryptographic primitives (Curve25519, ChaCha20-Poly1305, BLAKE2s). External traffic is served exclusively over TLS 1.2+. There is no plaintext pathway in or out of the system. Model inference, embedding generation, vector search, and all administrative traffic occur within the encrypted mesh. Data at rest encryption is available and configurable per deployment.
All AI processing happens locally. Model weights, conversation history, embeddings, and vector databases remain on your hardware at all times. AXIOM makes zero external API calls by default. There is no telemetry, no phone-home behavior, no update checker, and no cloud dependency. You control what enters and exits your network. The system is designed so that even AXE Technologies has no mechanism to access your data.
The fleet architecture distributes workloads across multiple machines connected via encrypted WireGuard tunnels. Each node runs its own inference server with dedicated model assignments and resource limits. Node compromise does not grant access to the full fleet — each node holds only its assigned models and data. The architecture supports air-gapped deployments, offline operation, and UHF radio communication for environments with no network access whatsoever.
AXIOM minimizes external dependencies by design. Where dependencies are necessary, we pin versions, verify checksums, and audit for known vulnerabilities. The system has zero runtime dependency on third-party SaaS services. All inference is local. All storage is local. All authentication is self-hosted. This eliminates the cascading risk of third-party breaches affecting your deployment.
AXE Technologies maintains an incident response process for vulnerabilities discovered in the AXIOM codebase. Critical vulnerabilities are patched and disclosed within 72 hours. Security advisories are published in the project repository. Because AXIOM is self-hosted, you control when and how patches are applied to your deployment.
If you discover a security vulnerability in AXIOM, please report it directly to james@virul.co. We take all reports seriously and will respond within 48 hours. Please allow reasonable time for a fix before public disclosure. We do not pursue legal action against good-faith security researchers.