TenaxisTenaxis
Enterprise Security

Security at Every Layer

Tenaxis was built from the ground up with enterprise security in mind. From data isolation to fine-grained access controls, your data stays protected at every level.

Defense in depth

Security in layers, around your data

Your data sits at the centre. Encryption, access control, policy enforcement, and audit wrap around it, so a gap in one layer is not a gap in your security.

Yourdata

Your data

Tenant-isolated, never shared across organisations.

Encryption

AES-256 at rest, TLS 1.3 in transit, isolated secrets.

Access control

Role-based access and narrowly scoped agent identities.

Policy engine

Policy is enforced before every agent action runs.

Audit & monitoring

Tamper-evident logs and anomaly alerts across every action.

Foundations

Enterprise security at the core

Multi-Tenant Data Isolation

Each organisation's data is kept completely separate. There are no shared databases and no risk of cross-contamination, so your workflows, agents, and audit logs belong to you alone.

  • Dedicated data namespaces
  • Row-level security enforcement
  • Cryptographic data isolation
  • Zero cross-tenant access

Role-Based Access Control

Granular role-based access control across Admin, Manager, and Operator levels. Every action, from API access to workflow creation to approval authority, is scoped to what each role is permitted to do.

  • Admin / Manager / Operator roles
  • Action-level permissions
  • API key scoping
  • Session management

Full Audit & Compliance

Every user action, agent execution, and policy event is written to an immutable log. Export that data for SIEM integration, regulatory audits, or internal compliance reviews whenever required.

  • Tamper-evident event logs
  • SIEM-ready log export
  • Real-time anomaly alerts
  • Regulatory report generation

Encryption & Secrets

All data at rest is protected with AES-256 encryption, and all data in transit runs over TLS 1.3. API credentials and integration secrets are held in an isolated secrets vault, separate from application data.

  • AES-256 at rest
  • TLS 1.3 in transit
  • Secrets vault isolation
  • Key rotation policies

Security Operations

How we operate security

These are the operational security practices we are establishing as we move toward first enterprise pilots. Each item is on the roadmap and will be in place before production customer deployments.

Planned

Penetration Testing

Third-party penetration test scoped to the platform and API surface, targeted before first enterprise pilot. Results reviewed and remediated before customer onboarding.

Establishing

Vulnerability Management

Dependency scanning (SCA) and static analysis (SAST) in the CI/CD pipeline. Critical and high findings block deployment until resolved.

Live

Responsible Disclosure

Security reports accepted at security@tenaxis.ai. We acknowledge within 3 business days and commit to a remediation timeline. Coordinated disclosure is our default.

Planned

Incident Response

Defined incident classification, escalation paths, and a customer notification runbook. Modelled on NIST SP 800-61. Tabletop exercise planned before pilot launch.

Establishing

Supply Chain & Dependencies

Software Bill of Materials (SBOM) generation, signed releases, and pinned third-party dependencies with automated update alerts for known CVEs.

Establishing

Security Awareness

Secure coding standards, mandatory review for auth and data-handling changes, and regular team briefings on AI-specific threats including prompt injection and agent hijacking.

Agentic AI Security

Security across the agentic stack

Autonomous agents introduce risks that traditional application security was not built for. We address them at three layers: what an agent is allowed to do, how each agent and its tools are hardened, and the platform they run on. What follows describes our controls, not a guarantee that risk is removed.

Agentic AI Security

Controlling what an autonomous agent is allowed to do.

  • Policy is enforced before every action. Tool calls and actuations are checked against rules before they run, not reviewed after the fact.
  • High-risk or low-confidence actions are routed to a human for approval, with full context and a timeout.
  • Least-privilege tools. Each agent can call only the tools and data scopes it has been explicitly granted.
  • Prompt-injection resistance. Untrusted content is treated as data, and tool use stays bounded by policy regardless of what the input says.
  • Bounded autonomy. Scope, rate, and blast-radius limits cap what an agent can do before it must escalate.
  • Every prompt, tool call, and decision is recorded for review.

Agent Security

Hardening each agent and the tools it runs.

  • Scoped identity. Each agent runs under its own identity with narrowly scoped credentials.
  • Secrets stay isolated. Agents reach integrations through a broker and do not receive raw API keys.
  • Validated inputs and outputs. Schema and content checks on what enters and leaves an agent.
  • Constrained tool execution. Tool calls run with limited permissions and resource budgets.
  • Provenance. Model, prompt, and tool versions are tracked so any action can be traced to what produced it.

AI Systems Security

Protecting the platform agents run on.

  • Tenant isolation, encryption in transit and at rest, and role-based access across the platform.
  • Monitoring and anomaly alerts on agent and user activity.
  • Tamper-evident, exportable audit logs for SIEM and compliance review.
  • Model and prompt activity is logged to support investigation and abuse detection.
  • Least-privilege operations and a defined incident response process.

Our controls are informed by widely used references for AI risk, including the OWASP Top 10 for LLM Applications, OWASP guidance on agentic AI threats, the NIST AI Risk Management Framework, and MITRE ATLAS. Referencing a framework is not a claim of certification against it.

Trust & Compliance Status

We publish our certification posture transparently. “In Progress” means the audit is actively running and a report is expected; “Planned” means it is on the roadmap but not yet started. We do not claim a certification until we hold the report.

GDPR (EU/UK)

Planned

Planned as a core design requirement; controller/processor obligations, SCCs, and sub-processor controls on the roadmap.

DPDP Act 2023 (India)

Planned

Lawful processing framework, consent management, grievance officer, and DPDP-aligned data retention on the roadmap.

IT Act 2000 + SPDI Rules 2011

Planned

Reasonable security practices and published privacy and grievance policies planned.

SOC 2 Type II

Planned

On the roadmap; audit planned within the next 12–18 months.

ISO/IEC 27001

Planned

ISMS scoping and Statement of Applicability planned; certification targeted after SOC 2.

Need supporting documentation (audit report, SOC 2 readiness letter, ISO Statement of Applicability, BAA template, DPA)? Write to security@tenaxis.ai.