securitySecurity

Security is not a feature.It's the foundation.

Every infrastructure decision, policy, and line of code at Axos starts with one question: is your clients' data as protected as it can possibly be?

Start Free Trial View Compliance →

lock

AES-256 Encryption

Every document, message, and data record is encrypted at rest using AES-256 — the same standard used by financial institutions and governments worldwide.

wifi_tethering_error

TLS 1.3 in Transit

All data in motion is protected with TLS 1.3. Older, vulnerable protocols are blocked. HSTS is enforced on every endpoint.

verified_user

Zero-Trust Architecture

No request is trusted by default — inside or outside the network. Every action is authenticated, authorized, and logged.

workspace_premium

SOC 2 Type II Certified

Independently audited every year against the AICPA's Trust Services Criteria. Not self-assessed — verified by a third-party auditor.

lockEncryption

Every byte, encrypted.Four layers of cryptographic protection covering every stage of your data's lifecycle.

Encryption standard

At restAES-256-GCM

In transitTLS 1.3

Key storageIsolated KMS

HashingArgon2id / SHA-3

database

Data at rest

AES-256-GCM

Every file stored on Axos infrastructure is encrypted with AES-256-GCM. Encryption keys are isolated per tenant and rotated on a scheduled cycle — your data cannot be decrypted by any other customer or by internal staff without an authorized key access event.

sync_lock

Data in transit

TLS 1.3 + HSTS

All connections use TLS 1.3 minimum. TLS 1.0 and 1.1 are disabled. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age, preventing downgrade attacks and mixed-content vulnerabilities.

vpn_key

Key management

Per-tenant isolation

Encryption keys are stored in a dedicated key management service, separate from the data they protect. Keys are never stored alongside encrypted data. Tenant key rotation is performed without service interruption.

key_off

Secrets & credentials

Vault-backed, no plaintext

All application secrets, API keys, and service credentials are stored in a secrets vault with access logging. No credentials appear in source code, logs, or environment files in production.

manage_accountsAccess Control

Only the right people see the right data

Access control at Axos is granular, audited, and enforced at the infrastructure level — not just the application layer.

fingerprint

Multi-factor authentication

MFA is available on all accounts and required for admin-level roles. Supports TOTP authenticator apps.

admin_panel_settings

Role-based permissions

Granular roles: Owner, Admin, Staff, and Client. Staff members see only the clients explicitly assigned to them.

timer_off

Automatic session expiry

Inactive sessions are terminated after a configurable timeout. Forced re-authentication on privilege escalation.

devices

Device & session management

Users can view and terminate active sessions across all devices from their account settings at any time.

travel_explore

IP allowlisting

Enterprise accounts can restrict portal access to specific IP ranges or CIDR blocks.

history

Complete audit log

Every login, document access, download, signature, and permission change is logged with timestamp, user, IP address, and device.

dnsInfrastructure

Built for availability and isolation

A data center failure, DDoS attack, or noisy neighbor cannot compromise your firm's data or availability.

location_on

Geo-redundant storage

Data is replicated across multiple availability zones. A single data center failure cannot cause data loss or service interruption.

groups_3

Tenant isolation

Each firm operates in a fully isolated environment. Cross-tenant data access is architecturally impossible, not just policy-restricted.

shield

DDoS protection

Layer 3, 4, and 7 DDoS mitigation is active on all public-facing endpoints. Automated traffic scrubbing with sub-second detection.

restore

Point-in-time recovery

Database snapshots are taken continuously. Any data state can be restored to any point within the last 30 days.

monitoringSecurity Operations

Always watching, always improving

Security is not a state — it's a continuous practice.

monitor_heart

24/7 infrastructure monitoring

Automated alerting on anomalous activity, latency spikes, and error rates. On-call engineers respond to P1 incidents within 15 minutes.

bug_report

Annual penetration testing

External red-team penetration tests are conducted annually by an independent security firm. Results drive our remediation roadmap.

policy

Vulnerability disclosure

We maintain a responsible disclosure program. Verified vulnerabilities are acknowledged within 24 hours and remediated under a defined SLA.

crisis_alert

Incident response

A documented incident response plan covers detection, containment, eradication, and post-incident review. Affected customers are notified within 72 hours per GDPR Article 33.

workspace_premium

SOC 2 Type II

Certified · Annual audit

Independently verified, every year

SOC 2 Type II is not a one-time certification — it requires continuous compliance over a 12-month audit period. Our controls are tested by an independent CPA firm against the AICPA's Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Enterprise clients can request the full SOC 2 Type II report under NDA for their own compliance due diligence.

View Compliance detailsarrow_forward

Security you can trust.Start your 14-day free trial — no credit card charge today.

Start Free Trial Compliance Overview