Aerol
    Sign In

    Security & Compliance

    Aerol is built with security at its core. We maintain comprehensive security policies aligned with industry standards to protect your code and data.

    Compliance Frameworks

    NIST Cybersecurity Framework

    Aligned

    Our security controls are mapped to the NIST Cybersecurity Framework, covering Identify, Protect, Detect, Respond, and Recover functions.

    GDPR

    Compliant

    We comply with GDPR requirements for data protection, privacy by design, data subject rights, and cross-border data transfers.

    SOC 2 Type I

    Ready

    Our policies and procedures are designed to meet SOC 2 Trust Service Criteria. Formal audit planned for growth stage.

    Technical Security Highlights

    Encryption

    • AES-256-GCM encryption for data at rest
    • TLS 1.2+ for all data in transit
    • JWE-encrypted session tokens
    • OAuth tokens encrypted before storage

    Authentication

    • OAuth 2.0 via GitHub, GitLab, Google, Bitbucket
    • Multi-factor authentication supported
    • Personal access tokens with SHA-256 hashing
    • Session management with secure cookies

    Infrastructure

    • Cloud-native deployment on GCP / Vercel
    • Kubernetes orchestration with rolling updates
    • Non-root Docker containers
    • Comprehensive SSRF protection

    Code Security

    • TypeScript strict mode across all codebases
    • Zod schema validation on all API inputs
    • Drizzle ORM preventing SQL injection
    • GitHub Actions CI/CD with automated checks

    Adopted Security Policies

    We maintain 25+ security policies covering all critical domains. All policies are reviewed annually and updated as needed.

    Access Control

    Adopted

    Role-based access control, multi-factor authentication, single sign-on via OAuth providers, and regular access reviews.

    Data Protection

    Adopted

    AES-256-GCM encryption at rest, TLS 1.2+ in transit, encryption key management, and data classification model.

    Secure SDLC

    Adopted

    Secure software development lifecycle with code reviews, dependency scanning, static analysis, and penetration testing.

    Incident Response

    Adopted

    Defined incident response team, escalation procedures, playbooks for common scenarios, and post-incident reviews.

    Business Continuity

    Adopted

    Disaster recovery procedures, data backup and recovery, application service recovery, and regular BCDR testing.

    Vulnerability Management

    Adopted

    Regular vulnerability scanning, defined remediation SLAs, and coordinated disclosure process.

    Vendor Risk Management

    Adopted

    Third-party security assessments, contractual security requirements, and ongoing vendor monitoring.

    Risk Management

    Adopted

    Annual risk assessments, risk registry, mitigation tracking, and continuous monitoring of residual risks.

    HR & Personnel Security

    Adopted

    Background screening, security awareness training, acceptable use policies, and secure offboarding procedures.

    Configuration Management

    Adopted

    Infrastructure as code, change management processes, patch management, and production deploy controls.

    Privacy & Consent

    Adopted

    Published privacy policy, GDPR data processing agreements, data subject rights procedures, and cookie policy.

    System Auditing

    Adopted

    Security event logging, audit trail integrity, internal audits, and monitoring of system activities.

    Vulnerability Disclosure

    Aerol takes security seriously. If you believe you have discovered a security vulnerability, please report it responsibly.

    Report a Vulnerability

    Email: security@aerol.ai

    What to Include in Your Report

    • Description of the vulnerability
    • Steps to reproduce the issue
    • Potential impact assessment
    • Any supporting screenshots or logs

    We will acknowledge receipt within 48 hours and work to address verified issues promptly. We ask that you allow us reasonable time to resolve the issue before public disclosure.

    Data Handling

    Aerol processes developer source code and repository metadata to provide AI-powered code analysis and documentation. We follow strict data handling procedures:

    • Code is processed in isolated, ephemeral environments and not retained beyond the analysis session
    • Your code is never used to train AI models
    • All data is classified according to our four-tier model: Critical, Confidential, Internal, and Public
    • Data deletion requests are honored promptly per our data retention policy

    Related Policies

    Privacy PolicyTerms of ServiceGDPR ComplianceSub-processors