Axon Cloud Services Security Incident Handling and Response Statement

Axon has implemented security monitoring and incident response policies and practices for Axon Cloud Services, including Evidence.com, which follow industry best practice standards. These practices include robust attack detection, incident response procedures, logging and monitoring standards, and reporting to appropriate parties. Incident Management policies and procedures are tested and meet Axon's comprehensive compliance program requirements including ISO/IEC 27001:2013, SOC 2+ Reporting, FedRAMP Moderate, and the U.S. FBI CJIS Security Policy.

Unless otherwise provided in this Statement, this Statement is subject to the terms of the Master Services Purchasing Agreement, or other similar agreement, if any, between Axon and Customer (“Agreement”). To the extent this Statement contains terms and conditions that differ from those contained in the Agreement, the Agreement shall control. A concept or principle covered in this Statement shall apply and be incorporated into all other provisions of the Agreement in which the concept or principle is also applicable, notwithstanding the absence of any specific cross-reference thereto. All capitalized and defined terms referenced, but not defined, in this Statement shall have the meanings assigned to them in the Agreement.

Incident Handling and Response

Security event and incident handling practices have been implemented to ensure appropriate detection, analysis, containment, eradication and recovery in the event of an incident. Axon employs a dedicated Security Operations team to monitor the security of Axon Cloud Services. The team is equipped to immediately respond to threats and malicious actors.

Personnel Training

All Axon personnel are required to complete regular security awareness training including identifying and reporting all suspicious security issues. The Axon Security Operations team receives specialized training for their roles. Additionally, the Axon Security Operations team regularly attends security conferences to stay abreast of the new and emerging security trends, threats, defenses, and best practices.

Incident Notification

If Axon becomes aware that Customer Data* has been accessed, disclosed, altered, or destroyed by an unlawful or unauthorized party, Axon will notify relevant authorities and affected customers.

Notification will be made within 72 hours of incident confirmation to customer administrators registered on Axon Cloud Services. Authorities will be notified through Axon's established channels and timelines. The notification will reasonably explain known facts, actions that have been taken, and make commitments regarding subsequent updates.

Axon does not monitor for security incidents that may occur within an Axon Cloud Services' customer tenant. Monitoring of utilization of customer accounts, Evidence sharing, and utilization of other Axon Cloud Services functionally is considered the customer’s responsibility. A customer-only security compromise would not be processed as an Axon security incident and would require the customer to manage the response effort. Customer incident response may involve collaboration with Axon Customer Support and Axon Information Security.

*Customer Data is defined in the Axon Cloud Services Privacy Policy.

Reporting Potential Security Issues or Vulnerabilities

If you know or suspect security issues with an Axon Cloud Services account or if you believe you've discovered a security vulnerability on Evidence.com or with an Axon product, please email infosec@axon.com with a thorough explanation of the issue or vulnerability. Any sensitive testing results or information should be transmitted to Axon using an encrypted communication channel. Our PGP key is available here: Axon Information Security (36A266CE) – Public

We ask that you do not disclose any vulnerability information publicly or to any third party without coordination with Axon's Information Security team. Axon is committed to working with customers and the security researcher community to validate and address reported potential vulnerabilities. Further information regarding this commitment is outlined in Axon’s Penetration Testing & Vulnerability Disclosure Guidelines.

All non-security related issues should be directed to Axon Customer Support.