TRUST

Security at Aertous

We sell security tools to security teams. We hold ourselves to the standard our customers hold their own programs to. This page is what we actually do, written without the marketing.

Quick links: Status page · Privacy policy · [email protected] · Request DPA

1. Compliance posture

Listing a framework above means the platform helps customers manage it, not that Aertous itself is certified to it.

2. Application security

Defaults that cannot be turned off, plus controls that are on by default but tuneable.

Mandatory by default

• Multi-factor authentication. Every account must enrol a TOTP authenticator. Backup codes are SHA-256 hashed; TOTP secrets are AES- 256-GCM encrypted at rest.
• Role-based access control. Seven roles (CISO, Manager, Analyst, Engineer, Auditor, Consultant, Employee) with resource-level permissions evaluated server-side on every request.
• Organisation isolation. Every database query and API endpoint is scoped to the caller's organisation. There is no role or permission that bypasses this isolation.
• Work-email gate. Personal email domains (Gmail, Yahoo, Proton, Outlook, etc.) are rejected at signup and at team invite. Aertous is B2B-only by design.
• Mandatory tax-ID at checkout. Stripe Checkout requires a valid tax identifier (VAT, EIN, GST) in every supported jurisdiction before a payment can complete.

Defence-in-depth

• CSRF protection on every state-changing endpoint via signed double-submit tokens.
• Rate limiting on authenticated and public endpoints. Public-form submissions are additionally throttled per IP and behind a managed challenge.
• Audit logging for security-relevant actions (role changes, MFA resets, data exports, plan changes, trial-state transitions).
• Read-only enforcement when a subscription lapses. Writes return HTTP 402; reads continue so customers can review their data and convert without scrambling.
• Permission-aware MFA admin actions. Disabling another user's MFA requires both team-management permission and an active subscription, so an expired admin cannot weaken security posture during the conversion window.

3. Infrastructure security

• Hosting: Google Cloud (europe-west1, EU data residency). Marketing site on Vercel.
• Edge + DDoS: Cloudflare in front of every public hostname. Origin IP never exposed.
• Network: VPC default-deny-ingress. HTTPS open to the world; SSH only via Google IAP.
• Identity: OS Login enforced project-wide. SSH gated by Google IAM identity, not static keys. CI/CD authenticates via Workload Identity Federation.
• Encryption: TLS 1.2+ in transit, AES-256 at rest, HSTS, Secure + HttpOnly + SameSite cookies.
• Secrets: GCP Secret Manager. Never on disk.
• Audit logs: Cloud Audit Logs (Admin Activity) on; Data Access logs in scope of SOC 2 prep.
• Storage: No public Cloud Storage buckets. Customer-data buckets are uniform-bucket-level-access with public-access-prevention enforced.
• Backups: daily encrypted snapshots to a separate GCS bucket. Restore drill verified April 2026.

4. Operational security

• Application-layer error tracking (Sentry) with every event tagged by user, organisation, and role. PII is never auto-collected; identity tags are explicit and bounded.
• External uptime + TLS monitoring (BetterStack) with 30/14/7-day certificate-expiry alerts on every public hostname. Live status at status.aertous.com.
• Incident response. A runbook covering triage, customer communication, post-incident review, and status-page disclosure. We publish incidents proactively rather than wait to be asked.
• Dependency management. Automated supply- chain scanning on every push (Dependabot). High-severity findings patched within seven days; moderate within thirty.

5. Data protection & privacy

Full details live in our Privacy Policy. Highlights:

• EU data residency. All customer data is stored in europe-west1 (Belgium).
• GDPR data-subject access requests. Honoured within 30 days; contact [email protected].
• Data retention. Active accounts retained for the duration of the subscription. After cancellation, customer data is soft-deleted immediately and permanently deleted after 90 days unless we are otherwise legally obligated.
• Data Processing Addendum. Available on request to any customer or prospect; reply to [email protected].
• Sub-processors. Stripe (payments), Resend (transactional email), Cloudflare (edge), Google Cloud (hosting), Vercel (marketing site), Supabase (database). Listed in the DPA.

6. Vulnerability disclosure

If you believe you've found a security issue in Aertous, please report it to [email protected]. Please include:

• A description of the vulnerability and its impact
• Steps to reproduce, with the minimum payload that demonstrates the issue
• The version, endpoint, or hostname affected
• Whether you'd like to be credited (we are happy to)

We acknowledge reports within two business days, triage within five, and will keep you informed through resolution. We commit to acting in good faith with researchers who follow responsible disclosure: do not access data that isn't yours, do not run automated scans against production beyond what's necessary to demonstrate the issue, and give us a reasonable window to fix before public disclosure.

We do not currently run a paid bug-bounty programme.

7. Trust documents

• Privacy Policy: /privacy
• Terms of Service: /terms
• Status page: status.aertous.com
• Data Processing Addendum: available on request, email us
• Security questionnaires (SIG Lite, CAIQ, custom): we maintain pre-filled responses and complete most enterprise questionnaires within five business days.

8. Contact

For security reports, privacy enquiries, DPA requests, and security questionnaires: [email protected].

For everything else: aertous.com/contact.