AFFIXIO
Procurement pack
Materials security, privacy, and procurement teams typically request before adopting AffixIO as verification infrastructure. Public summaries are on this page. Full questionnaires, penetration test summaries, and executed DPAs are available on request via Contact from your corporate domain.
Vendor summary
| Product | AffixIO verification infrastructure (stateless allow/deny API with signed proofs) |
|---|---|
| Company | AffixIO (Cardiff / Swansea, Wales, United Kingdom) |
| Production API | https://api.affix-io.com |
| Data role | Processor for customer-submitted verification inputs; customer remains controller |
| Default PII retention at verifier | None after verdict under default configuration |
Security controls summary
- TLS 1.2+ on all public API and dashboard traffic
- Encryption at rest for operational stores, backups, and configuration
- Scoped API keys with least privilege; separate sandbox and production keys recommended
- RBAC on dashboard where enabled; MFA for administrative access
- Segmented production networks; no public admin interfaces
- Immutable admin audit trails and security event logging
- Dependency monitoring, input validation, rate limiting, periodic penetration testing
- Incident response with customer notification aligned to DPA timelines (typically 72 hours where GDPR applies)
Full detail: Security documentation · Sub-processors · DPIA template
Privacy and GDPR
- Privacy Policy: /privacy
- Data Processing Agreement available for enterprise customers
- Data minimisation at verifier boundary by design (GDPR Article 25 alignment)
- Processor role; customer warrants lawful basis and transparency to data subjects
- DPIA support materials available on request
Sub-processors
Public category register: /trust/sub-processors. Named vendors under DPA on request via Contact with subject line Procurement.
Compliance alignment
Controls are mapped to expectations under GDPR/UK GDPR and practices aligned with SOC 2 and ISO 27001 style control families where applicable. ISO 42001 patterns for AI governance programmes consuming the verification gate. AffixIO provides artefacts to support due diligence but does not certify your deployment.
| Framework | AffixIO support |
|---|---|
| GDPR / UK GDPR | Processor DPA, data minimisation, breach notification |
| PCI DSS context | Scope reduction: do not send cardholder data unless explicitly contracted |
| EU AI Act | Audit trails for automated decision gates |
| NIST AI RMF | Govern and measure evidence for agent gates |
| NIST FIPS 204 (ML-DSA) | Post-quantum attestation paths on request |
Availability
Production infrastructure deploys across availability zones where supported. Encrypted backups with tested restore procedures. Current operational status: status page. Detailed availability metrics for enterprise customers may be provided under NDA or in an Order.
Documents available on request
- Completed security questionnaire (SIG, CAIQ, or custom)
- Penetration test executive summary (under confidentiality)
- SOC or ISO reports where available (under confidentiality)
- Executed Data Processing Agreement
- Sub-processor list with change notification process
- Architecture diagram pack for internal security review
How to request
Email via Contact from your corporate domain. Include organisation name, intended use case, and documents required. AffixIO typically responds within two business days for genuine procurement enquiries.