Privacy Policy

TeNova Axiom ("Axiom," "we," "us") is a product of Tenable Nova LLC, a Georgia limited liability company. Axiom is an agentless compliance adjudication platform built on public federal standards (NIST 800-53, DISA STIGs, CMMC, FedRAMP, NIST AI RMF, EU AI Act).

Account Information

When you create an account, we collect your email address and organization name. Authentication is managed through Supabase Auth with optional TOTP multi-factor authentication. We do not store passwords; they are hashed and managed by our authentication provider.

Compliance Telemetry

Axiom collects system configuration evidence from your infrastructure (e.g., firewall rules, service statuses, file permissions) for compliance adjudication. This data is processed deterministically and recorded as pass/fail verdicts in the Sovereign Witness Ledger. Raw evidence is not retained after adjudication unless explicitly configured.

AI Witness Data (Zero-Knowledge)

The AI Witness SDK operates on a zero-knowledge principle. At Clearing Level 1 and above, we never receive raw prompts or AI model responses; only cryptographic hashes (SHA-256) and numeric performance factors (latency, token count, refusal flag). At Clearing Level 2+, even metadata fields are purged before transmission. We cannot reconstruct, read, or infer the content of your AI interactions.

Usage Data

We log authentication events, export actions, and key management operations in an internal audit log for security and compliance purposes (NIST SI-12). We do not use third-party analytics, tracking pixels, or advertising cookies.

• Adjudicate compliance controls and generate SWT3 Witness Anchors
• Produce audit artifacts (OSCAL SSP, POA&M, Assessment Results, executive summaries)
• Enforce tenant isolation and role-based access control
• Maintain an immutable compliance ledger for auditability
• Send Slack alerts for FAIL verdicts (if configured by your organization)

We do not sell, rent, or share your data with third parties for marketing or advertising purposes. Period.

Compliance verdicts and SWT3 Witness Anchors are retained in the Sovereign Witness Ledger for the duration of your subscription. Attestation records are preserved for audit continuity. Upon account termination, all tenant-scoped data is permanently deleted within 30 days. Encrypted backups follow a 7-day rotation policy (CP-9/CP-10).

All data in transit is protected by TLS 1.3 with HSTS enforcement. Data at rest is encrypted by our infrastructure providers. Tenant isolation is enforced at the database query level; every request is scoped to your tenant ID. API keys are stored as irreversible SHA-256 hashes. We maintain 167 NIST 800-53 controls on our own infrastructure and continuously adjudicate our own compliance posture using Axiom.

Each customer organization is a separate tenant with strict data isolation. Your compliance data, verdicts, attestations, and configuration are never visible to other tenants. Cross-tenant queries are architecturally impossible through the scoped database client.

We use a single httpOnly session cookie for authentication. We do not use tracking cookies, third-party cookies, or advertising cookies. A localStorage flag records whether you have completed onboarding; this is not transmitted to our servers.

• Supabase; Authentication and database (your compliance data is stored in a Supabase-managed PostgreSQL instance with row-level security)
• Stripe; Payment processing (we do not store credit card numbers)
• Vultr; Infrastructure hosting (US-based data center)

We do not use Google Analytics, Facebook Pixel, Mixpanel, or any behavioral tracking service.

You may:

• Request a copy of all data associated with your tenant
• Request deletion of your account and all associated data
• Revoke API keys at any time through the Settings page
• Export your compliance artifacts at any time (OSCAL SSP, POA&M, AR, executive summary)

To exercise these rights, contact privacy@tenovaai.com.

We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated via email to account holders. The effective date at the top of this page will be updated accordingly.

Tenable Nova LLC
Email: privacy@tenovaai.com
Web: sovereign.tenova.io