Security at Aptible

Aptible cares about data security, both ours and yours. Learn more about our procedures that help keep important data safe and secure.

Aptible's Trust Packet

Aptible helps you with your compliance. We also take our compliance seriously. We created a simple way for you to access the security documents needed to trust our data security practices and our products.
Download Now

Product Features

Data encryption in transit
  • Data transfers between users and the Aptible platform are secured using industry-standard encryption methods.
Data encryption at rest
  • Data within the Aptible production databases is encrypted at rest.
SAML 2.0 SSO
  • Aptible supports the industry-standard SAML 2.0 protocol for authentication using an external identity provider.
Two-factor authentication (2FA)
  • Aptible supports 2FA with Time Based One Time Passwords (ie Google Authenticator) and with hardware token (ie YubiKey).

Security Operations

Risk Management
  • We complete risk assessment to gain an accurate and thorough understanding of the potential risks to and vulnerabilities of the security, availability, and confidentiality of our products and services.
Penetration Tests
  • We engage with trusted third parties to complete network and application vulnerability scans at least annually.
Vulnerability Scans
  • Aptible performs internal vulnerability scans monthly to identify, prioritize, and remediate potential system vulnerabilities.
Vendor Management Program
  • Aptible has implemented vendor management policies and procedures to ensure protection of assets and data that are accessible by vendors, and to establish standards for information security and service delivery from vendors.
Background checks
  • Aptible conducts background checks on all applicants selected for full-time employment.
Training
  • All Aptillians receive security awareness training and all employees are required to complete the training annually.

Business Continuity
  • We have documented and implemented a business continuity plan that we activate and follow in the event of disruptions.
Backups
  • We backup all production data and all backups are geo-replicate backups within the same judicial data boundary.
Testing
  • We test our business continuity plan at least annually using different real world scenarios.
Monitoring
  • We monitor the Comply and Deploy so that we can understand and maintain the stability and availability of our environment.
Aptible currently maintains the following industry standard certifications:

SOC 2

ISO 27001

HITRUST

Aptible has established and Legal team and internal processes to comply with the following regulations:

HIPAA

GDPR

CCPA

Data Transfers from the EU to the US
  • The core Aptible Deploy and Aptible Comply APIs are hosted in the United States. You may choose to run Deploy stacks in non-U.S. regions, such as the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law. Please note that when you use the core Deploy and Comply APIs, you are transferring your information outside of those regions to the United States for storage and processing. If there is an issue with any one in the US having access to your Deploy resources, please reach out to our team to learn more about our Deploy Bring Your Own (BYO) AWS model.
Aptible Deploy

Deploy customers currently run dedicated stacks in the following Amazon Web Services (AWS) Regions:

  • US-East-1 (N. Virginia)
  • US-East-2 (Ohio)
  • US-West-1 (N. California)
  • US-West-2 (Oregon)
  • AP-South-1 (Mumbai)
  • AP-Southeast-2 (Sydney)
  • CA-Central-1 (Central Canada)
  • EU-Central-1 (Frankfurt)
  • EU-West-1 (Ireland)
  • EU-West-2 (London)
Aptible Comply
  • The Comply platform application programming interfaces (APIs) run in the AWS US East (N. Virginia) Region.
Data Protection Agreement
  • We will enter into a Data Protection Agreement that specifically outlines how and when data will be transferred from the EU to the US.
Data Retention
  • We retain your personal information only as long as necessary to accomplish the business purpose for which it was collected or to comply with our legal and contractual obligations, plus 1 year, and then securely dispose of that information.
Subprocessors
  • Aptible shares information with service providers and other third parties who perform services on our behalf. This page provides a list of vendors with whom we share personal information as well as describes where each is located and what services these vendors provide for us.
Data Deletion Requests
  • Upon request, we will delete information that we have collected about you. To exercise this option, or for additional information about our privacy and data security practices, please visit our Privacy Statement or contact us at legal@aptible.com.
Bug Bounty Program
  • We are dedicated to maintaining the security and privacy of the Aptible services and customer data. We welcome security researchers from the community who want to help us improve our products and services. If you discover a security vulnerability, please give us the chance to fix it by emailing us at security@aptible.com. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue. Thank you for your work and interest in making the community safer and more secure!
  • Please see the full details and scope of our Bounty Program here.

Compliance Certifications, Standards, and Regulations

SOC 2

ISO 27001

HITRUST

HIPAA

GDPR

CCPA

Access Certifications