Privacy Policy

1. Introduction

Draxis.ai ("Draxis," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard your data when you use our cyber risk management platform, website, and related services (collectively, the "Services").

By accessing or using our Services, you agree to this Privacy Policy. If you do not agree, please do not use the Services.

2. Information We Collect

Account Information: When you create an account, we collect your name, email address, job title, and organizational role. If you enable multi-factor authentication, we store encrypted TOTP secrets and hashed backup codes.

Organizational Data: Data you provide about your organization, including risk indicators, controls, risk assessments, outcome scenarios, enterprise risk mappings, stakeholder profiles, and financial parameters.

Usage Data: We automatically collect information about how you interact with the Services, including pages viewed, features used, session duration, and interaction patterns.

AI Interaction Data: When you use the AI Risk Advisor, we process your queries and the advisor's responses. Stakeholder memory profiles are maintained to provide personalized briefings.

Security Logs: We collect audit logs of security-relevant actions including login events, MFA activity, password changes, user management actions, and IP addresses for security monitoring purposes.

Device & Technical Data: Browser type and version, operating system, device identifiers, and network information collected through standard web protocols.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide, maintain, and improve the Services
• Authenticate users and enforce access controls via role-based permissions
• Deliver personalized AI-powered risk briefings tailored to each stakeholder's role
• Generate risk analytics, trend calculations, and financial impact assessments
• Maintain audit trails for security and compliance purposes
• Send service-related communications (security alerts, product updates, account notifications)
• Detect, prevent, and respond to security incidents or fraudulent activity
• Comply with legal obligations and regulatory requirements

4. Data Isolation & Multi-Tenancy

Draxis uses a database-per-tenant architecture to ensure complete data isolation between organizations. Each tenant's data — including risk indicators, controls, risks, outcomes, stakeholder profiles, chat history, and user accounts — is stored in a physically separate database. No tenant can access another tenant's data.

A central tenant registry manages only organizational metadata such as tenant names, configuration preferences (MFA policy, SSO settings, session lifetime), and does not contain any risk or operational data.

5. AI Data Processing

The AI Risk Advisor is powered by third-party AI models (currently Anthropic's Claude API). When you interact with the advisor:

• Your queries and relevant organizational context are sent to the AI provider for processing
• Stakeholder memory profiles are stored locally in your tenant database, not with the AI provider
• AI conversation history is retained per-stakeholder within your tenant's isolated database
• We do not use your organizational data to train AI models

For details on how the AI provider processes data, please refer to Anthropic's Privacy Policy.

6. Data Security

We implement robust security measures to protect your data:

• Authentication: RS256 JWT tokens with short-lived access tokens (15 min) and rotating refresh tokens
• Encryption: TOTP secrets are encrypted with AES-256-GCM; passwords are hashed with bcrypt
• MFA: TOTP-based multi-factor authentication with encrypted backup codes, configurable per-tenant and per-user
• Access Control: Four-tier role-based access control (super admin, tenant admin, analyst, viewer)
• Transport Security: All data transmitted via HTTPS with HttpOnly, secure cookie attributes
• Rate Limiting: Authentication endpoints are rate-limited to prevent brute-force attacks
• Audit Logging: Immutable logs of all security-relevant actions with actor, IP address, and metadata

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Services. Specific retention periods:

• Account data: Retained while the account exists; deleted upon account removal
• Organizational data: Retained while the tenant exists; deleted when a tenant is removed
• Audit logs: Retained for a minimum of 12 months for security and compliance purposes
• AI chat history: Retained per-stakeholder within the tenant database; deletable by tenant administrators
• Refresh tokens: Automatically expire per configured session lifetime and are revoked on logout

When a tenant is deleted, its entire database (including all associated data) is permanently removed.

8. Sub-Processors

Draxis.ai uses the following third-party sub-processors to deliver our Services. Each sub-processor is evaluated for security and privacy compliance before engagement.

We will update this list and notify affected customers at least 30 days before engaging a new sub-processor. For the most current sub-processor list, visit our Trust Center.

9. Data Sharing & Disclosure

We do not sell your personal information. We may share data only in the following circumstances:

• AI Processing: Query context sent to Anthropic's Claude API for AI advisor functionality (see Section 5)
• Legal Requirements: When required by law, subpoena, court order, or government request
• Safety: To protect the rights, safety, or property of Draxis, our users, or the public
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with prior notice
• With Your Consent: When you have explicitly authorized us to share specific information

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interests

Tenant administrators can manage user accounts, export data, and delete tenants directly through the platform's Settings interface. For additional requests, contact us at privacy@draxis.ai.

11. Cookies & Tracking

We use essential cookies only for authentication and session management:

• Refresh token cookie: An HttpOnly, secure cookie used to maintain your authenticated session
• Tenant preference: A localStorage entry to remember your last selected organization

We do not use third-party tracking cookies, advertising pixels, or analytics services that track users across websites.

12. International Data Transfers

If you are accessing the Services from outside the United States, your data may be transferred to and processed in the United States or other jurisdictions where our infrastructure or AI processing providers operate. We take appropriate safeguards to ensure your data is protected in accordance with applicable data protection laws.

13. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a revised "Last updated" date. Your continued use of the Services after changes are posted constitutes acceptance of the updated policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Draxis.ai
Email: privacy@draxis.ai
General: hello@draxis.ai