Security & Infrastructure

Data Protection & GDPR

Aptoma acts as a data processor under GDPR. We maintain an up-to-date Aptoma GDPR and Security Report describing our subprocessors, data flows and safeguards, and we review it at least annually. A dedicated Data Protection Officer and security team can be reached at security@aptoma.com.

Infrastructure & Data Location

All Aptoma services and customer data are hosted on Amazon Web Services (AWS) in the EU. We rely entirely on AWS infrastructure for hosting, storage, networking and security. Primary processing and storage take place within the EU/EEA. A small number of specialised subprocessors may process limited data in the United States under the EU–US Data Privacy Framework, ensuring GDPR-compliant protection for all transfers.

AWS maintains industry-leading security certifications including ISO 27001, SOC 2, and others. We inherit and build upon AWS security controls and best practices. As an AWS APN Technology Partner, we work closely with AWS to ensure our architecture follows recommended patterns for security, availability and disaster recovery.

Access Control & Identity

Access to systems and data is restricted on a strict need-to-know basis. We use role-based access control in our applications, and all administrative access to AWS, credentials and secrets requires multi-factor authentication. Only a limited number of authorised Aptoma staff can access production environments, and access rights are reviewed regularly.

Encryption

All communication between clients, services and APIs is encrypted in transit using TLS 1.2+. Data at rest is encrypted using industry-standard algorithms within AWS-managed storage services. Encryption keys are managed centrally with strict access control and audit logging.

Backups & Disaster Recovery

We perform regular backups of application data to secure, encrypted storage in the EU. Backups are monitored for successful completion and are periodically tested for restoration. Our disaster recovery procedures cover recovery from infrastructure failures, data corruption and operator errors. Services are deployed across three data centers in AWS Frankfurt, with continuous replication to AWS Stockholm for catastrophic failure scenarios.

Monitoring & Incident Response

We continuously monitor uptime, performance and error rates across our services. Metrics and logs are collected and analysed using AWS and third-party monitoring tools, with alerting to on-call operations staff in case of anomalies. Security and service incidents follow a documented incident response process with classification, escalation and post-mortem reviews. Service status is reported at aptomastatus.com.

Software Security & Development Standards

All development at Aptoma follows our internal standard Soft Mandel (SOFTware MANagement and DEveLopment Standards in Aptoma), available publicly on GitHub. It defines requirements for version control, coding style, pull requests, testing, continuous integration and deployment processes. Changes to our services must go through code review and automated checks before they reach production.

Soft Mandel is a living standard. We review and update it as our stack and development practices evolve.

Environments: DEV / TEST / PROD

We maintain separate development, test and production environments. New features are developed and tested in non-production environments before being rolled out. Production data is not used in development or testing unless strictly necessary and subject to additional safeguards.

Subprocessors

Aptoma uses a small, carefully selected set of subprocessors for hosting, monitoring and supporting our services (for example AWS, NewRelic, Google Firebase). All subprocessors are bound by data processing agreements and are reviewed regularly. A detailed and always up-to-date list of subprocessors is available in our Aptoma GDPR and Security Report.

AI Use & Data

We use AI-assisted features and tooling to improve our products, but we apply the same security and privacy principles to AI as to any other technology. Data sent to AI providers is minimised and protected, and our integrations are designed so that customer data is not exposed beyond what is necessary for the feature to work.

SLA, Response & Availability

We provide Service Level Agreements (SLAs) as part of our customer contracts, including defined response targets for incidents and service degradation. Critical incidents are handled with immediate attention by our operations team, with clear escalation paths and customer communication routines. We have 24/7 monitoring and response plans for all our products.

Certifications

Aptoma is not currently ISO 27001 certified, but our security management practices are aligned with the same principles: risk-based control of access, infrastructure, development and operations, combined with regular reviews and documentation.