Security Policy

‍

At Aptly, security is foundational to the trust our customers place in us. We implement industry-leading technical and organizational measures to protect the confidentiality, integrity, and availability of customer data. This Security Policy describes the core controls and practices we use to safeguard the Aptly platform and the data processed within it.

1. Infrastructure and Hosting

Aptly is hosted on Microsoft Azure, leveraging its secure cloud infrastructure across multiple regions. Key protections include:

• Data residency: Customers may select a hosting region (e.g., United States, Europe, or other regions supported by Aptly, as may be added over time) during onboarding. Customer data remains within the chosen region unless otherwise agreed in writing.
• Private deployments: For customers with specific regulatory, contractual, or performance requirements, Aptly supports isolated or dedicated infrastructure environments upon request.
• Physical security: Microsoft data centers are SOC 2, ISO 27001, and PCI-DSS certified, with 24/7 physical security, biometric access controls, and environmental safeguards.
• High availability: Aptly maintains redundant systems and regular backups to support business continuity and disaster recovery.

2. Data Protection

We apply strong encryption and access controls to protect customer data at all times:

• Encryption in transit: All data is encrypted using TLS 1.2+ when transmitted between users and the Aptly platform.
• Encryption at rest: Data stored in databases and file systems is encrypted using AES-256 or stronger.
• Key management: Encryption keys are managed via Azure Key Vault in accordance with industry best practices.

3. Access Control and Identity Management

We apply the principle of least privilege and enforce strong identity protections:

• Role-based access control (RBAC): Implemented across the application and internal systems where feasible.
• Single Sign-On (SSO) and Multi-Factor Authentication (MFA): Required for all Aptly employee accounts and available to customers via supported identity providers.

4. Development and Change Management

Aptly maintains a secure software development lifecycle (SDLC), including:

• Peer-reviewed code in GitHub with automated static code analysis.
• CI/CD pipelines with integrated security checks and controlled deployment processes.
• Segregated environments for development, staging, and production.

5. Monitoring, Detection, and Incident Response

We continuously monitor and audit our systems for threats:

• Application and infrastructure monitoring via Datadog and native Azure services.
• Centralized logging of system activity and access events.
• Alerting and anomaly detection for unusual behaviors and access patterns.
• A documented incident response plan, including escalation procedures and customer notification timelines as required under applicable law or contract.

6. Compliance

Aptly aligns with key industry standards and frameworks, including:

• SOC 2 Type II: Independently audited annually.
• Data residency and deployment flexibility: Aptly supports hosting in multiple regions and private deployments to meet jurisdictional and regulatory requirements (e.g., GDPR, Canadian data residency, or other local compliance obligations). Aptly may work with customers to understand and satisfy jurisdictional data residency or regulatory compliance requirements, subject to scope and feasibility.
• Data Processing Agreement (DPA): Available at https://www.aptlydone.com/customer-data-processing-agreement.
• Subprocessor list: Maintained at https://trust.aptlydone.com/subprocessors.

7. Subprocessors

Aptly engages certain third-party subprocessors to deliver the Cloud Service. Each subprocessor is vetted for appropriate security and compliance controls. The current list of authorized subprocessors is available at:https://trust.aptlydone.com/subprocessors

8. Responsible Disclosure

We encourage responsible disclosure of any suspected vulnerabilities in our platform. Please report issues to security@aptlydone.com.

We will acknowledge all valid reports and work promptly to investigate and remediate confirmed issues.

9. Updates to This Policy

We may update this Security Policy from time to time to reflect changes in our practices or services. Updates will be posted at this URL and dated accordingly. Aptly will not materially reduce the level of protection without prior notice.