Axera
AXERA
ENTR
Request a Demo
Trust & Security

How Axera itself is secured.

A security tool has to clear a higher bar. Here is how Axera is built to clear it — what we do, and what we deliberately do not do.

Design decisions

Three deployment modes — your call
Run agentless via container security tools you already operate (Prisma Cloud, Red Hat ACS / StackRox), agent-based via a single privileged eBPF DaemonSet at the node level, or hybrid per cluster. None of these modes inject sidecars, modify your pod specs, or touch container images. Policy is enforced through the standard Kubernetes NetworkPolicy API.
Server-side credential isolation
Cluster bearer tokens, Git tokens and ITSM keys are stored encrypted at rest. Only the Proxy service ever uses them — they never appear in the browser, never leave server memory unencrypted.
JWT + rotating refresh tokens
User sessions use signed JWT access tokens with short TTL plus rotating refresh tokens. Refresh tokens are HttpOnly cookies — not accessible from JavaScript.
RBAC, server-enforced
Four built-in roles (Admin, NetworkOperator, Auditor, AccessUser) plus LDAP / Active Directory group mapping. Every API endpoint is permission-checked server-side, not in the UI.
Read-only signal ingestion
Axera observes via a kernel-level eBPF DaemonSet (NetObserv-based) that captures L3/L4 flows, DNS resolution, packet translation and round-trip time — without modifying workloads or relying on CNI-specific log emission. Container security tool exports (Prisma Cloud, ACS / StackRox) are an optional augmentation, not a requirement.
Full audit trail
Every action — policy create, edit, approve, reject, deploy, rollback — is logged with user, timestamp and full change set. Exportable as PDF or Excel for compliance evidence.
Where Axera runs

Axera is deployable on-premises, in your cloud (AWS, Azure, GCP), or air-gapped. There is no SaaS dependency. Your flow data and policy data never leave your infrastructure unless you choose to push them — to your Git repo, your ITSM, your SIEM.

Compliance posture

We align our development, infrastructure and data-handling practices with KVKK and ISO 27001 control families. SOC 2 Type II is on our 2026–2027 roadmap. If you have specific compliance requirements, talk to us — we can map our controls to your audit framework.

Specific compliance requirement? Let's talk.

Request a DemoFAQ →