Security is foundational to everything we build. Here is how we protect your data and deployments.
Last Updated: December 2025
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. API keys, credentials, and client secrets are stored in encrypted secret vaults with access limited to authorised systems only.
Our infrastructure runs on enterprise-grade cloud providers (AWS / GCP) with VPC isolation, private subnets, and network-level firewalls. Production environments are fully isolated from development and staging environments.
We enforce role-based access control (RBAC) and the principle of least privilege. All team access to production systems requires multi-factor authentication (MFA). Access logs are retained for a minimum of 12 months.
We maintain 24/7 monitoring of our infrastructure and applications. Anomalous activity triggers automated alerts and incident response workflows. Security incidents are logged, investigated, and disclosed to affected clients within 72 hours.
We conduct regular penetration testing of our systems and client deployments. Findings are prioritised by risk severity and remediated within defined SLAs (Critical: 24h, High: 7d, Medium: 30d). Test reports are available to enterprise clients on request.
Our security practices are aligned with SOC 2 Type II controls, GDPR data protection requirements, CCPA consumer privacy rights, and OWASP top 10 application security standards. We are committed to maintaining and expanding our compliance programme.
All third-party vendors and sub-processors are vetted for security compliance before engagement. We maintain a vendor security review programme and ensure data processing agreements (DPAs) are in place with all data sub-processors.
We maintain a documented incident response plan covering detection, containment, eradication, and recovery. In the event of a security incident affecting client data, we commit to notifying affected clients within 72 hours of detection.
Client data is stored on AWS infrastructure in the US-East region by default. Alternative regions can be arranged for enterprise clients with specific data residency requirements.
Yes. All team members with access to client systems undergo background checks and sign confidentiality agreements before being granted any access to production environments.
Our incident response plan is activated immediately. We contain the incident, determine scope, notify affected clients within 72 hours as required by GDPR, and provide a full post-incident report.
Yes. Enterprise clients can request our security documentation package including infrastructure architecture, access control policies, and most recent penetration test executive summary.
Please email security@aiotic.io with details of the vulnerability. We operate a responsible disclosure policy and aim to acknowledge all reports within 24 hours.
Found a security issue? We operate a responsible disclosure programme and take all reports seriously. We aim to acknowledge every report within 24 hours.