Security & Compliance
Axiom OrderFlow handles EEG order intake for neurodiagnostics departments. Protecting that data — and proving how — is a first-class part of the product, not an afterthought. Here is exactly how it works, in plain terms your IT and security teams can verify.
Every table enforces PostgreSQL row-level security scoped to your organization. A query can only ever return your workspace's data — the boundary is in the database itself, so an application bug cannot leak another customer's records.
All traffic is TLS/HTTPS end to end. Data at rest is encrypted with AES-256 by the managed Postgres platform (Supabase). Order PDFs live in a private storage bucket with no public URLs — files are streamed only to authenticated, authorized members of the owning organization.
Four roles — viewer, staff, supervisor, admin — are enforced on the server on every request and re-checked in the database. The interface only ever hides what a role cannot do; the actual authority lives in RLS policies, so the UI is convenience, never the security boundary.
Every change — approvals, edits, deletions, plan and permission changes — is written through a single audited path. The actor is derived from the server session (it cannot be forged by the client), and audit records cannot be updated or deleted by anyone. Deletions keep their data and history; nothing silently disappears.
Any account can enable TOTP two-factor authentication. Once enabled, the second step is required before any private page or API responds — enforced in middleware, not just at the login screen.
AI extraction never writes to your tracker directly. Every extracted field passes a strict validation gate and then a human review and approval before it becomes a row. Structurally invalid AI output is routed to manual review — never inserted unchecked.
The privileged service key exists only in server environment variables — never shipped to a browser. Its use is a short, inventoried list (scheduled jobs, tokenized inbound feeds, the public demo), each independently authenticated. Everything a user initiates runs under their own session, so row-level security stays in force.
A nightly job purges stored order PDFs older than your configured retention window, for settled orders only — the extracted data, tracker rows, and audit history remain, and each purge is itself audited. Retention is a policy you set, enforced automatically.
We are direct about what “HIPAA-ready” means. The engineering controls a HIPAA posture depends on — encryption, access control, audit, isolation, retention — are implemented and listed above. Turning on real patient data is gated behind business and legal steps, in this order:
The platform ships locked to de-identified data — patient-identifying mode is pinned off by a database constraint, so it cannot be turned on by accident or by a bug.
Before your workspace handles real patient information, Axiom completes signed Business Associate Agreements (BAAs) with its data and AI subprocessors.
A security review is completed against your environment, and PHI mode is unlocked through a deliberate, reviewed database migration — never a toggle.
Until those steps are complete for your organization, the product runs on de-identified or synthetic data. We will not claim certification we do not hold, and we will not let real PHI into a workspace before the agreements are signed — that protects your department as much as it protects ours.
We welcome security reviews from prospective customers and will walk your IT and compliance teams through the architecture, our subprocessors, and our BAAs. If you believe you have found a vulnerability, please report it privately to info@axiomeeg.com so we can address it before any disclosure.