Trust & Security

Procurement-ready answers,
without a sales call.

This page is built for security, procurement, and compliance reviewers. It answers the concrete questions you ask before approving a vendor: where data processes, what leaves your boundary, how we map to your compliance frameworks, how to report a vulnerability, and the current SOC 2 posture.

01

Where does data process?

Data residency and where RAXE detection logic executes relative to your infrastructure.

RAXE is designed so detection runs inside your control boundary. The detection engine, classifiers, and scoring all execute on infrastructure you operate: in your VPC, on your hosts, or in an air-gapped environment.

In Enterprise deployments, telemetry and logs stay on your side unless you explicitly opt in to share anonymised signals with RAXE Intelligence. Enterprise prompt and response content is not transmitted to a RAXE-operated scanning cloud as part of normal operation.

  • Default deployment: detection runs inside your environment.
  • Data residency: follows your hosting region. We do not move traffic across regions.
02

What leaves your boundary?

Your prompts and responses stay with you. We share anonymised detection telemetry to keep detections sharp. Enterprise can turn it off or run air-gapped.

Stays with you
  • Prompts, responses, and session content
  • Tool-call arguments and results
  • Detection scores and verdicts
  • Operating record and evidence exports
  • Customer-specific configuration and policy
Anonymised detection telemetry

Structured threat metadata only: family, technique, severity, classification tier. No prompts, no responses.

  • Community Edition: on by default. Keeps detection sharp for everyone.
  • Enterprise: opt out entirely, route through your own network, or run air-gapped.

The public browser demo on raxe.ai scans the prompt you paste as part of the detection walkthrough. Default on, toggle off in the demo.

03

What deployment models are supported?

Topology options and which integration path each model supports.

VPC / Private cloud

Control plane and detection agents all run inside your VPC. No RAXE-operated infrastructure in the traffic path. Signatures delivered via outbound HTTPS fetch.

Regulated industriesGatewaySDKHost Sensor
On-premise

Installed on customer hardware. Supports K8s DaemonSet, sidecar, systemd, and standalone Gateway deployments. Signature updates via internal mirror.

Sovereign workloadsGatewaySDKHost Sensor
Air-gapped

Fully disconnected deployment. Signature and model updates delivered out-of-band via signed packages. No outbound connectivity to RAXE services required.

Defence / critical infraGatewaySDKHost Sensor
04

What compliance frameworks map to which controls?

How RAXE capabilities support your framework obligations. Every entry links to the primary source.

Framework
Status
What RAXE supports
Controls aligned
Map, Measure, Manage, Govern: RAXE provides runtime monitoring, governance evidence, and measurable outputs across the AI lifecycle.
Controls aligned
AIMS (AI Management System) supporting evidence: operating record, change management, and evaluation of AI system behaviour.
Controls aligned
High-risk system obligations: transparency, human oversight, logging, accuracy monitoring. Annex III obligations apply from 2 Aug 2026 (Digital Omnibus may adjust).
SOC 2
Program in progress
Controls aligned to SOC 2 Trust Services Criteria. See SOC 2 posture below for the current status and timeline.
Controls aligned
Data minimisation by architecture (on-customer-infrastructure processing). Data processing agreements available for enterprise customers.
Supporting evidence
ICT third-party risk and incident reporting support. DORA is already in force for EU financial entities.
05

Vulnerability disclosure

How to report a security issue responsibly, what is in scope, and our safe-harbour commitment.

Contact
security.txt
Scope
RAXE Gateway, Application SDK, Host Sensor, Intelligence, and raxe.ai web properties.
Out of scope
Third-party cloud infrastructure, denial-of-service tests against production, social-engineering attacks on staff or customers.
Response SLA
Initial acknowledgement within 3 business days. Triage within 7 business days. Remediation timeline communicated with triage outcome.
Safe harbour
Good-faith security research conducted within scope will not be pursued legally. Please avoid privacy violations, data destruction, and service disruption.
06

SOC 2 posture

The current state of our SOC 2 programme and what we can share today.

SOC 2 programme status: in progress. RAXE has aligned internal controls to the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) and is working through formal audit readiness. We do not claim a completed SOC 2 Type II audit.

For enterprise evaluations we can share the following under NDA:

  • Control matrix mapped to SOC 2 TSC
  • Current audit timeline and auditor relationship (when established)
  • Security questionnaire responses (SIG Lite, CAIQ v4)
  • Data processing agreement and sub-processor list

Ask the team for the current status: security@raxe.ai or book a walkthrough →.

07

Security research evidence

Public research output as proof of security maturity.

Advisories
Original CVE-aligned AI security advisories with CVSS, affected products, and detection signatures.
Browse advisories →
Research Radar
Bi-weekly synthesis of AI security research from arXiv with practitioner ratings.
View radar →
Threat Intelligence
Monthly data-driven report on live AI threats across gateway, SDK, and host telemetry.
Read the latest report →

Still have questions?

Book a 30-minute call with a RAXE engineer. No sales funnel.

Book a walkthrough →