Security Policy

‍

At Aptly, security is foundational to the trust our customers place in us. We implement industry-leading technical and organizational measures to protect the confidentiality, integrity, and availability of customer data. This Security Policy describes the core controls and practices we use to safeguard the Aptly platform and the data processed within it.

1. Infrastructure and Hosting

Aptly is hosted on Microsoft Azure, leveraging its secure cloud infrastructure across multiple regions. Key protections include:

• Data residency: Customers may select a hosting region (e.g., United States or Europe) during onboarding. Data remains within that region unless otherwise agreed.
• Physical security: Microsoft data centers are SOC 2, ISO 27001, and PCI-DSS certified with 24/7 physical security, biometric access controls, and environmental safeguards.
• High availability: We maintain redundant systems and perform regular backups to ensure business continuity.

2. Data Protection

We apply strong encryption and access controls to protect customer data at all times:

• Encryption in transit: All data is encrypted using TLS 1.2 or higher when transmitted between users and Aptly’s platform.
• Encryption at rest: Data stored in databases and file systems is encrypted using AES-256 or stronger encryption.
• Key management: Encryption keys are managed using Azure Key Vault, following industry best practices.

3. Access Control and Identity Management

We apply the principle of least privilege and enforce strong identity protections:

• Role-based access control (RBAC) is used across our application and internal systems wherever feasible.
• Single Sign-On (SSO) and Multi-Factor Authentication (MFA) are required for all Aptly employee accounts and available to customers via supported identity providers.

4. Development and Change Management

We maintain a secure software development lifecycle (SDLC), including:

• Peer-reviewed code in GitHub with automated static code analysis.
• CI/CD pipelines with security checks and controlled deployment processes.
• Segregated environments for development, staging, and production.

5. Monitoring, Detection, and Incident Response

We continuously monitor and audit our systems for threats:

• Application and infrastructure monitoring via DataDog and native Azure services.
• Centralized logging of system activity and access events.
• Alerting and anomaly detection for unusual behaviors and access patterns.
• Incident response plan with documented escalation procedures and customer notification timelines.

6. Compliance

Aptly aligns with key industry standards and frameworks:

• SOC 2
• Data Processing Agreement (DPA) and subprocessor list available at https://trust.aptlydone.com/subprocessors

7. Subprocessors

We maintain a list of authorized subprocessors and ensure each maintains appropriate security controls. You can view our current list here:
https://trust.aptlydone.com/subprocessors

8. Responsible Disclosure

If you believe you have discovered a security vulnerability in our platform, we encourage responsible disclosure and welcome reports at: security@aptlydone.com

We will acknowledge all valid reports and work to resolve issues promptly.

9. Updates to This Policy

We may update this Security Policy to reflect changes in our practices or services. Any updates will be posted at this URL and dated accordingly. We will not materially reduce the level of protection without prior notice.