How we protect the data you trust us with — and what you can verify yourself because the platform is open source.
TLS 1.2+ in transit. AES-256 at rest. Secrets stored in a managed vault, never in code or config.
Production access is limited to a small on-call group, requires SSO + 2FA, and is audited.
Running on managed cloud platforms with private networking, automated patching, and isolated workspaces.
Sign in with Google, Microsoft, or GitHub. SSO and SCIM available on Enterprise.
The core platform is open source. Anyone can audit the code, the data model, and the algorithms we use. If you need full control, you can self-host the same software we run in our cloud.
We are working towards SOC 2 Type II certification. Until certification is complete, we're happy to share details of our controls and progress with prospective customers under NDA. Email security@aexy.io.
Workspace data is logically isolated and queried only by authenticated requests bound to that workspace. Backups are encrypted and retained for a limited period. Enterprise customers can request private-cloud or VPC deployment.
If you believe you've found a security issue, please email security@aexy.io with steps to reproduce. Please do not publicly disclose until we've had a reasonable opportunity to fix it (typically 90 days). We commit to acknowledging reports within two business days and to keeping you informed while we work on a fix.
If a security incident affects your data, we'll notify the affected workspace owners as quickly as we have reliable information, and follow up with a written post-incident review.