Trust & Security

Security is foundational
to compliance

We hold ourselves to the same standard we help our customers achieve. Aikraft is built from the ground up with security, data sovereignty, and transparency as core design constraints — not afterthoughts. Your compliance data is sensitive; we treat it that way.

Last updated: 13 April 2026

EU Sovereign Cloud

All customer data is stored and processed exclusively in Frankfurt, Germany (AWS eu-central-1). Your data never leaves the European Economic Area.

Frankfurt, Germany

Strong Encryption

Data at rest is encrypted with AES-256. All data in transit is protected with TLS 1.3. HSTS is enforced with a minimum 1-year max-age on all endpoints.

AES-256 · TLS 1.3

Access & audit controls

Role-based access, strong authentication where applicable, and operational logging help us detect misuse and support investigations. We apply least privilege and review access regularly.

RBAC · Monitoring

Security programme

We invest continuously in secure development, dependency hygiene, and incident response. Formal third-party attestations (such as SOC 2 or ISO 27001) may be pursued as the product and organisation mature.

Evolving programme

Infrastructure

Aikraft runs on Amazon Web Services (AWS) in the eu-central-1 (Frankfurt, Germany) region. We deploy across multiple availability zones (multi-AZ) to eliminate single points of failure, ensuring high availability even during individual data centre disruptions.

Backups: Daily encrypted backups are taken automatically and stored offsite with Hetzner Online GmbH in Nuremberg, Germany — also within the EEA. Backup data is encrypted with AES-256 at rest and is subject to the same access controls as production data.

  • Recovery Time Objective (RTO): < 4 hours
  • Recovery Point Objective (RPO): < 1 hour
  • Uptime target: 99.9% monthly (excluding scheduled maintenance)

Application Security

We follow OWASP Top 10 guidelines in our development process and perform security reviews at each stage of our software development lifecycle (SDLC). Specific measures include:

  • Dependency scanning: Automated vulnerability scanning of all third-party dependencies via GitHub Dependabot and Snyk, with critical CVEs patched within 24 hours and high severity within 7 days.
  • Static Application Security Testing (SAST): Integrated into our CI/CD pipeline; every pull request is scanned before merge.
  • Penetration testing: Quarterly external penetration tests conducted by an independent, accredited security firm. Findings are triaged, tracked, and remediated to agreed timelines.
  • Security headers: Content Security Policy (CSP), HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are enforced on all public-facing endpoints. No inline scripts are permitted.
  • Secrets management: All API keys and credentials are stored in a secrets manager (AWS Secrets Manager), never in code or environment files. Secrets are rotated on a defined schedule.

Access Controls

Access to customer data and production infrastructure is tightly controlled and audited:

  • Role-based access control (RBAC): Employees are granted the minimum permissions necessary for their role (principle of least privilege). Roles are reviewed quarterly and immediately upon role changes.
  • Multi-factor authentication (MFA): MFA is mandatory for all Aikraft staff accounts, including access to cloud infrastructure, code repositories, and internal tooling. Hardware security keys (FIDO2) are used for privileged access.
  • Privileged Access Management (PAM): All access to production systems is brokered through a PAM solution with session recording and automatic time-limited credentials. No standing access to production databases is granted.
  • SSO for Enterprise customers: Enterprise plan customers can enforce Single Sign-On (SSO) using their own identity provider via SAML 2.0 or OIDC, ensuring that offboarding and access policies are managed centrally.
  • Quarterly access reviews: All production access is reviewed every quarter. Stale accounts and excessive permissions are revoked immediately.

Data Isolation

All customer workspaces are logically isolated at the application and database layer. There is no mechanism by which one customer's data can be accessed by another customer, and cross-tenant queries are architecturally prevented.

Enterprise plan customers receive dedicated encryption key management: each workspace is encrypted with a unique key stored in AWS KMS, ensuring that even a compromise of one workspace's key material cannot affect any other workspace.

Incident Response

Our security operations are monitored 24 hours a day, 7 days a week using Datadog for infrastructure and application observability, with automated anomaly detection alerting on unusual access patterns, error rate spikes, and performance degradation.

  • P0 (critical) incidents: Acknowledged and initial response within 1 hour of detection. All hands on deck for containment.
  • P1 (high) incidents: Acknowledged within 4 hours; resolution within 24 hours or continuous updates until resolved.
  • Breach notification: In the event of a personal data breach, affected customers will be notified within 72 hours per GDPR Article 33, with a full post-incident report provided to Enterprise customers within 14 days.
  • Post-incident reviews: All P0 and P1 incidents trigger a blameless post-mortem with written findings, root cause analysis, and preventive action items.
  • Status page: Real-time service status and incident history are published at status.aikraft.eu.

Responsible Disclosure

We actively encourage security researchers to report vulnerabilities they find in the Aikraft platform. If you believe you have discovered a security issue, please report it to us before making it public.

How to report: Email security@aikraft.eu with a detailed description of the vulnerability, steps to reproduce, and your assessment of potential impact. A PGP public key is available for encrypted submissions — request it via the same address.

Our commitments to researchers:

  • We will acknowledge receipt of your report within 2 business days.
  • We follow coordinated disclosure: we ask for a 90-day window from acknowledgement to remediate and notify affected customers before any public disclosure. We will work collaboratively with you on the timeline.
  • We will not take legal action against researchers who report vulnerabilities in good faith, comply with this policy, and do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
  • We will credit researchers in our security advisories (unless they prefer to remain anonymous).

Bug bounty programme: A formal bug bounty programme with cash rewards is planned for Q3 2026. Sign up at security@aikraft.eu to be notified when it launches.

Out of scope: Social engineering attacks against Aikraft staff, denial-of-service attacks, spam, and physical security attacks are outside the scope of this policy.

Compliance

  • GDPR: Aikraft processes personal data in accordance with the GDPR. We publish a full Privacy Policy and a Data Processing Agreement for customers subject to GDPR.
  • EU AI Act: We use our own platform to manage Aikraft's internal AI systems — we eat our own dog food. We consider this both a product quality signal and an ethical commitment.
  • Standard Contractual Clauses (SCCs): All sub-processors outside the EEA operate under the European Commission's 2021 SCCs.
  • Data retention: Documented retention schedules apply to all categories of data. No data is retained beyond its justified retention period.

Questions

For security questions, vulnerability reports, or requests for security documentation (for example pentest summaries where available), please contact our security team:

Aikraft (Tonoy Akanda) — Security
Berlin, Germany
E-mail: security@aikraft.eu
We aim to respond to all security enquiries within 2 business days.