Customer-controlled deployment
AXOS is designed to run inside infrastructure that the customer operates. Application data, prompts, and generated content stay within that boundary.
Security
A focused, technical view of how AXOS is built and supported, and how security researchers and customers can report issues.
AXOS is designed to run inside infrastructure that the customer operates. Application data, prompts, and generated content stay within that boundary.
Transport security (TLS 1.3), encryption at rest (AES-256), role-based access control, signed releases, and audit logging are applied across the AXOS surface.
Dependencies are tracked, builds run from version-controlled sources, and releases are tagged. Known vulnerabilities are triaged on a defined cadence.
We welcome reports from security researchers, customers, and the wider community. Reports are handled under a coordinated disclosure model — we ask reporters to give us a reasonable window to remediate before publicising findings.
Step 1
Email security@scotitech.com with a clear description, reproduction steps, the affected component, and any proof-of-concept material. PGP key available on request.
Step 2
We aim to acknowledge security reports within two business days, and to provide a first triage update within five business days.
Step 3
Severity is assessed against CVSS and operational impact. Remediation is delivered through a regular or out-of-band release, depending on severity.
Step 4
We coordinate public disclosure with the reporter, typically after a fix is available and customers have had a reasonable window to update. Credit is offered with the reporter’s consent.
If you research in line with the rules below, we will not pursue legal action and will treat your activity as authorised testing.
The following activities are not authorised and reports based on them will be closed.
Send security reports to the address below. For machine-readable contact information, the AXOS security.txt follows RFC 9116.
Security contact
Operator
ScotiTech Solutions Limited
If you believe a vulnerability is being actively exploited
Include the word URGENT in the subject line and provide as much context as possible. We monitor the security inbox during business hours and will escalate out-of-hours where the report indicates active exploitation.
Last updated: June 2026