If we asked you to give us a feed of every device and every application running in your estate, we'd want to know how that data is going to be handled too.
The platform runs on Microsoft Azure UK South. ISO 27001, ISO 27017 and ISO 27018 certified hosting. SOC 2 Type II.
All customer data is stored, processed and backed up within UK Azure regions. No data crosses the UK border. We are a UK Ltd company subject to UK GDPR.
TLS 1.2+ in transit. Azure SQL Transparent Data Encryption at rest. Per-tenant secrets stored separately and rotated.
TOTP-based multi-factor authentication is mandatory for all users. Enterprise tier adds Entra ID, Okta and Google SSO with conditional access enforcement.
Every console action is logged: who, when, what, from where. Audit logs are retained for 24 months and exportable. Suitable for SOC 2 / ISO 27001 evidence.
Independent CREST-accredited penetration test annually. Summary report available to customers under NDA. Critical findings are remediated within 30 days.
Row-level security on every query. Even if a session is bypassed at the API layer, the database refuses to return another tenant's rows.
Agents authenticate per-tenant with rotating shared secrets. Payloads are HMAC-SHA256 signed; replays and forgeries are rejected at the collection endpoint.
Found something that looks wrong? Email us at security@apaas.org. We commit to acknowledging in one business day and publishing a remediation timeline within five. We don't bug-bounty (we're too small to fund it sensibly), but we will name you in our quarterly security note unless you'd prefer we didn't.
If we detect a security incident that affects you, we'll notify you within 24 hours of confirming impact. Status updates every 6 hours during active investigation. A full post-mortem with timeline, root cause and remediation within 14 days of resolution.
A current list of sub-processors we use to deliver the service is available on request. Today it's: Microsoft Azure (UK hosting), Microsoft Entra ID (SSO for Enterprise customers), Twilio SendGrid (transactional email), Microsoft Defender (endpoint security on our infrastructure).
For procurement teams: we maintain a Security & Privacy Information Pack (SPIP) covering ISO 27001 control mapping, sub-processor list, DPIA template and BCP/DR. Available under NDA. Email hello@apaas.org.
