Security at NewAxiom
NewAxiom applies a workspace-scoped access and data protection model designed to reduce cross-tenant risk, protect sensitive connector credentials, and limit unauthorized access to pricing workflows and operational data.
Baseline controls
The current baseline focuses on workspace-scoped access enforcement, secret protection, sensitive route hardening, auditability, and safer production behavior.
Access control
- Server-side workspace authorization on protected routes.
- Workspace-scoped checks on resource lookups and operations.
- Unauthorized access attempts are denied at the backend.
- UI handling for unauthorized states is kept minimal and clear.
Role-based permissions
Permissions are scoped by workspace role so access to pricing operations, connectors, exports, and administrative actions can be restricted according to responsibility.
- owner
- admin
- manager
- analyst
- viewer
Secret protection
Connector credentials are protected with encrypted-at-rest storage and are masked from API responses and application surfaces. Raw secret values are not returned to clients.
Uploads, imports, exports, and internal routes
Uploads, imports, exports, and internal/debug routes are protected with stricter authorization and access checks to reduce accidental exposure and cross-workspace access.
Audit logging
NewAxiom records security audit events for high-risk operations and failed authorization attempts to improve traceability and incident review.
Error handling
Production error handling is designed to reduce leakage of sensitive internal details in both API and UI responses.
Current scope
This page describes the current baseline controls implemented. Additional controls and governance improvements may be added over time as the platform expands. Baseline rollout included supporting migrations and test updates for key enforcement paths.
Need a security overview?
Review how workspace authorization, role scoping, and control coverage apply in practice.