Security Policy

Security is foundational to PONTIX AI's mission. We build the intelligence layer for physical operations — and the trust of our clients depends on our ability to protect their most sensitive operational data. This document describes the security architecture, controls, and practices that govern the AXIOM platform and all PONTIX Services. Our security program is built on the principle that compliance is architecture, not an afterthought.

Please read this policy carefully and often as it is subject to change.

Contents

  1. Security Philosophy

  2. Infrastructure Security

  3. Access Control

  4. Data Security

  5. On-Site Engagement Security

  6. Application Security

  7. Incident Response

  8. Compliance and Certifications

  9. Employee Security

  10. Responsible Disclosure

1. Security Philosophy

PONTIX's security approach is built on three non-negotiable principles that are embedded into every system, process, and engagement we undertake:

Governance First. Compliance is architecture, not an afterthought. Every access, operation, and data movement is governed, auditable, and traceable by design. SSO, RBAC, and full audit trails are standard — not optional add-ons.

Data Sovereignty. Clients own their data. Our architecture ensures that your Facility Data and DIPR reservoir remain under your control at all times — including after contract termination. We do not use client data for any purpose beyond contracted service delivery.

Zero Source Modification. AXIOM reads enterprise systems as an overlay. It never writes to or modifies source data. This architectural constraint limits the blast radius of any potential security incident and means that deploying AXIOM carries no risk to the integrity of your existing operational systems.

2. Infrastructure Security

Cloud Architecture. PONTIX Services are hosted on enterprise-grade cloud infrastructure. All data at rest is encrypted using AES-256. All data in transit is encrypted using TLS 1.2 or higher. Production environments are logically isolated from development and staging environments. Infrastructure is provisioned using Infrastructure-as-Code with full version control and audit trails. Automated vulnerability scanning runs continuously on all infrastructure components.

Data Residency. Client data is stored in geographic regions agreed upon in the applicable Order Form. PONTIX supports regional data residency requirements for clients in the EU (Italy), Americas (Brazil/USA), and other jurisdictions upon request.

Availability. PONTIX targets 99.9% platform uptime for AXIOM. Redundant infrastructure, automated failover, and quarterly disaster recovery testing support this commitment. Scheduled maintenance windows are communicated with at least 72 hours' notice.

3. Access Control

Authentication. AXIOM supports Single Sign-On (SSO) via SAML 2.0 and OIDC for enterprise clients. Multi-factor authentication (MFA) is required for all PONTIX staff and strongly recommended for all client administrator accounts. Session tokens expire automatically after configurable periods of inactivity.

Authorization. Role-Based Access Control (RBAC) governs all platform access. Permissions are scoped to job function: Executive, Site Manager, Operator, and Administrator roles. Access to client data is restricted to personnel explicitly authorized by the client, or to PONTIX personnel required for service delivery under a documented need-to-know. PONTIX staff access to client environments is logged, time-limited, and requires manager approval.

Audit Logging. Every operation performed in AXIOM is traceable. Audit logs capture user identity, action performed, timestamp, and affected data objects. Logs are immutable and retained for a minimum of 12 months. Clients can access their own audit logs via the AXIOM dashboard or API at any time.

4. Data Security

Client Data Isolation. Each client's Facility Data and DIPR reservoir is logically isolated. Multi-tenant architecture enforces strict data boundaries — one client cannot access another's data under any circumstances.

Encryption Key Management. Encryption keys are managed using a dedicated key management service. Client data encryption keys are unique per client and can be rotated on request. Enterprise clients may supply their own encryption keys (BYOK — Bring Your Own Key).

Data Export and Deletion. Upon contract termination, PONTIX provides a full export of client DIPR data within 30 days of request. Following confirmed export receipt, client data is securely deleted from all PONTIX systems within 90 days, with written confirmation of deletion provided to the client.

Third-Party Integrations. AXIOM integrates with enterprise systems — ERP, BIM platforms, IoT networks — in read-only mode. Integration credentials are stored using secrets management best practices and are never logged or stored in plaintext.

5. On-Site Engagement Security

PONTIX's on-site teams — Reality Capture Specialists, Industrial Engineers, and Business Analysts — adhere to the following protocols during all facility visits:

  • All on-site personnel undergo background screening prior to engagement.

  • Site access credentials and physical security requirements are coordinated with the Client's designated point of contact in advance of each visit.

  • Scan data captured on-site is encrypted immediately on portable devices and transferred to secure PONTIX infrastructure within 24 hours of capture.

  • Portable storage devices used during engagements are hardware-encrypted and remotely wipeable.

  • No client data is retained on personal devices under any circumstances.

  • PONTIX personnel adhere to client-specific safety and security protocols as communicated during engagement onboarding.

6. Application Security

Secure Development Lifecycle. Security requirements are defined at the design phase of every feature. All code undergoes peer review and automated static analysis (SAST) before deployment. Dependency scanning is performed continuously to identify and remediate known vulnerabilities. Production deployments require multi-party approval and are fully logged.

Penetration Testing. PONTIX conducts annual third-party penetration testing of the AXIOM platform and supporting infrastructure. Executive summary reports are available to enterprise clients upon request under NDA.

Vulnerability Management. Critical and high-severity vulnerabilities are remediated within 30 and 60 days respectively following identification and confirmation. PONTIX maintains a responsible disclosure program — see Section 10.

7. Incident Response

PONTIX maintains a documented incident response plan with the following commitments:

  • Detection. Automated monitoring and alerting for anomalous activity operates 24/7. Our security team is on-call around the clock.

  • Notification. Affected clients are notified within 72 hours of confirming a data incident that may affect their data, in accordance with applicable regulations including GDPR Article 33 and LGPD requirements.

  • Containment and Remediation. A dedicated incident response team follows documented playbooks to contain, eradicate, and recover from incidents with minimal disruption to client operations.

  • Post-Incident Review. Root cause analysis and corrective actions are documented and shared with affected clients within 30 days of incident closure.

8. Compliance and Certifications

PONTIX's security program is designed to meet or exceed the following frameworks and standards:

  • ISO/IEC 27001 — Information Security Management System (certification in progress).

  • SOC 2 Type II — Security, availability, and confidentiality trust service criteria (audit currently underway).

  • GDPR — General Data Protection Regulation (European Union).

  • LGPD — Lei Geral de Proteção de Dados (Brazil).

  • NIST Cybersecurity Framework — used as the baseline for enterprise risk management and control selection.

  • Current compliance status, audit reports, and completed security questionnaires are available to enterprise clients upon request under NDA. Please contact security@pontix.ai to request these materials.

9. Employee Security

All PONTIX employees complete security awareness training upon hire and annually thereafter. Role-specific security training is required for engineers, data scientists, and all client-facing personnel. Access to production systems is provisioned on a least-privilege basis and reviewed quarterly. Employee departures trigger immediate access revocation across all systems on the day of departure. Phishing simulation exercises are conducted quarterly to maintain organizational vigilance.

10. Responsible Disclosure

PONTIX encourages responsible disclosure of security vulnerabilities. If you believe you have discovered a security issue affecting PONTIX services, please contact our security team at security@pontix.ai.

  • Our commitments to security researchers acting in good faith:

  • Acknowledgement of your report within 2 business days.

  • Investigation of all credible reports, regardless of severity.

  • Regular updates on investigation progress and remediation timelines.

  • No legal action against researchers following our responsible disclosure guidelines.

Please do not access or exfiltrate client data, conduct denial-of-service attacks, or perform social engineering of PONTIX staff as part of any security research activity.

© 2026 PONTIX AI, Inc. All rights reserved. PONTIX, AXIOM, NaroMapping, DRIP (Data-Rich Insight Pool), and related marks are trademarks of PONTIX.