The platform that checks your security must itself be secure. Here's exactly how we protect your data — with no marketing language, just the controls and architecture.
Technical Controls
Every layer of our stack is hardened. Here's the full breakdown of how we implement each control category.
| Control | Implementation | Status |
|---|---|---|
| Encryption at Rest | AES-256-GCM for all stored data. Encryption keys managed by AWS KMS with automatic annual rotation. Database-level encryption enabled on all RDS, S3, and EBS volumes. Backups are encrypted with the same policy. | ✓ Active |
| Encryption in Transit | TLS 1.3 enforced for all API and web traffic. TLS 1.0 and 1.2 are rejected at the load balancer. HSTS preloaded with a one-year max-age. Certificate transparency monitoring via Let's Encrypt + AWS ACM. | ✓ Active |
| Authentication | SAML 2.0 and OIDC SSO supported (Okta, Google Workspace, Azure AD, JumpCloud). MFA is required for all user accounts — TOTP, hardware keys (WebAuthn/FIDO2), and SMS as a fallback. Session tokens are short-lived (24h) with sliding expiry. | ✓ Active |
| Authorization | Attribute-Based Access Control (ABAC). Every API request is evaluated against a policy engine (inspired by Google Zanzibar) that checks subject attributes, resource tags, and environmental conditions. Least-privilege by default. | ✓ Active |
| Data Isolation | PostgreSQL Row-Level Security (RLS) enforces tenant isolation at the database layer — even a compromised application process cannot read another tenant's rows. Tenants are also isolated at the network layer via separate VPCs. | ✓ Active |
| Audit Logging | Immutable, append-only audit trail of all authentication events, authorization decisions, and data access. Logs are shipped to a separate AWS account with SCPs preventing modification or deletion. Retention: 7 years minimum. | ✓ Active |
| Penetration Testing | Bi-annual application and infrastructure pen tests conducted by an independent CREST-certified firm (BreachLock). Full reports available to enterprise customers under NDA. Findings are remediated on a 14-day SLA (critical) or 30-day SLA (high). | ✓ Active |
| Vulnerability Management | Snyk runs on every PR to scan application dependencies. Trivy scans all container images in CI/CD. AWS Inspector scans EC2 and ECS workloads daily. Critical CVEs trigger an automated PagerDuty incident and must be patched within 24 hours. | ✓ Active |
| Web Application Firewall | AWS WAF deployed in front of all public endpoints with OWASP Core Rule Set, rate limiting (1,000 req/min per IP), and bot detection rules. CloudFront integrates WAF at the edge for sub-10ms latency overhead. | ✓ Active |
| DDoS Protection | AWS Shield Advanced is active across all regions, providing automatic DDoS mitigation and 24/7 support from the AWS DDoS Response Team (DRT) for L3/L4 and L7 attacks. SLA: zero downtime from DDoS events. | ✓ Active |
Data Residency
Choose your region at signup. Customer data never leaves your selected region — we do not replicate across region boundaries without explicit consent.
Responsible Disclosure
We believe the security community is a partner, not an adversary. If you find a vulnerability, we want to hear from you — and we'll reward responsible disclosure.
We run a private bug bounty program via HackerOne. Scope covers all production API endpoints, the web application, and authentication flows. Out-of-scope: social engineering, physical attacks, third-party services.
Not in our bug bounty scope? You can still report vulnerabilities using coordinated disclosure. We commit to acknowledging reports within 24 hours, providing a remediation timeline within 72 hours, and crediting researchers publicly (if desired).
We ask that you do not publicly disclose vulnerabilities before we've had 90 days to address them. We will never pursue legal action against good-faith security researchers.
security@aegiscomply.ioCertifications & Attestations
AegisComply eats its own dog food — we use the platform to manage our own compliance posture and work toward the same certifications we help customers achieve.
AICPA TSC covering Security, Availability, Confidentiality, and Processing Integrity. Audit conducted by Prescient Assurance. Report available to customers under NDA upon completion.
Full ISMS implementation and third-party certification planned for Q4 2026. Our internal compliance team (led by Riya Mehta) is managing the gap analysis and Statement of Applicability now.
AegisComply acts as a GDPR Data Processor for EU customers. We have executed Data Processing Agreements (DPAs) with all EU sub-processors. SCCs are in place for any data transfers outside the EU.
Security is not a feature — it's the foundation. Start your free trial and see how AegisComply protects your compliance data from day one.