AIXNEX
AIXNEX
Next-Gen AI
Contact
Legal

Security

What we do to keep your data safe and how to report a vulnerability if you find one.

Last updated · 2026-05-07

1. How we protect your data

  • TLS 1.2+ for every request between your browser and our servers;
  • AES-256 encryption at rest in Google Cloud Storage and Firestore;
  • Authentication via Firebase Authentication — passwords never reach our servers;
  • Server-side session cookies (httpOnly, secure, SameSite=Lax) — no token in JavaScript reach;
  • Hardened Firebase Security Rules: read-only on user docs, all writes go through server-side admin SDK;
  • Rate limiting on every authenticated endpoint and on public lead-form endpoints;
  • Pre-deploy code review by a Sonnet-based agent on every commit before any production rollout;
  • Audit logging on every administrative action.

2. Responsible disclosure

If you believe you have found a security vulnerability in AIXNEX, please report it to security@aixnex.com. We commit to:

  • Acknowledge your report within 3 business days;
  • Provide a triage decision (accepted / out-of-scope / duplicate / informational) within 10 business days;
  • Keep you updated as we work on a fix;
  • Credit you publicly when the issue is resolved, if you wish.

3. Safe-harbour commitment

We will not pursue civil action or initiate a complaint to law enforcement for security research that follows this policy in good faith — meaning you:

  • Make a good-faith effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data;
  • Use the explicit test accounts we provide on request — never test against real customer accounts without written permission;
  • Stop testing and report immediately if you encounter customer data; do not exfiltrate, save, or share it;
  • Give us reasonable time to remediate before any public disclosure (we ask for at least 90 days, longer for critical infrastructure issues).

4. In scope

  • aixnex.com and any subdomains we operate;
  • The AIXNEX backend APIs;
  • Authentication, billing (Ziina, Stripe), credit accounting, and admin permissions;
  • Server-side rendering of generated assets and gallery delivery.

5. Out of scope

  • Issues on third-party services we depend on (Google Cloud, Firebase, Vertex AI, fal.ai, Tripo3D, Ziina, Stripe, Anthropic) — please report to those vendors directly;
  • Social-engineering of our staff or customers;
  • Physical attacks against our offices or staff;
  • Volumetric DDoS or other automated attacks;
  • Findings derived from automated scanners without manual verification;
  • Click-jacking on pages without sensitive actions;
  • Issues in browsers more than two major versions out of date.

6. No bug bounty (yet)

We don't currently run a paid bug-bounty programme, but we recognise serious findings publicly with the reporter's permission and we will treat any future formal programme's alumni preferentially.

7. Encryption

For sensitive reports, you may encrypt your message with our PGP key. Request the current public key from security@aixnex.com — we'll publish the fingerprint here once stable.

Thank you for keeping our customers' data safe. Coordinated, responsible disclosure is a partnership — we take it seriously.

Questions about this page? Contact our team.

← Back to AIXNEX