Security-First Architecture

Your Data is Our Priority

Q: Is Aerie OS GDPR compliant?

Yes. Fully compliant with UK GDPR and DPA 2018. All data processing happens within the UK.

Q: Does Aerie hold SOC 2 or ISO 27001 certification?

Not yet. Cyber Essentials planned 2026. ISO 27001 and SOC 2 planned 2027.

Q: How does Aerie protect against data breaches?

Multi-tenant isolation, AES-256-GCM encryption, Cloudflare WAF, MFA, and automatic session expiry.

Q: Can I report a security vulnerability?

Yes. Email security@aerie-tech.co.uk. We respond within 48 hours.

Aerie OS is built from the ground up with security as a core architectural principle, not a bolt-on afterthought. Every layer — from database to API to UI — enforces tenant isolation and data protection.

Security Features

Multi-Tenant Architecture

Every tenant is fully isolated using Supabase Row-Level Security (RLS). One tenant can never access another's data, even at the database level.

Encryption at Rest & in Transit

All data is encrypted at rest using AES-256-GCM with per-tenant HKDF-derived keys. All connections use TLS 1.3.

Authentication & MFA

Powered by Supabase Auth with JWT tokens. Multi-factor authentication (TOTP) supported for all users. Session management with automatic expiry.

Role-Based Access Control

Granular RBAC with tenant-level isolation. Administrators, technicians, and clients each see only what they should. Every permission is enforced server-side.

Infrastructure & DDoS Protection

Hosted on Cloudflare Pages with enterprise-grade WAF, DDoS mitigation, and a global CDN. Database hosted on Supabase in the UK (London) region.

AI Security

BYO API keys for AI providers — your keys never touch our servers. PII scrubbing planned for all AI interactions. We never train on your customer data.

Data Residency

Primary Database

Supabase — UK region (London). Your data stays in the UK by default. Enterprise customers can request specific regional deployments.

CDN & Edge

Cloudflare global network. Static assets are cached at edge locations worldwide for performance. No customer data is stored at the edge.

Compliance Roadmap

Cyber Essentials

Planned — 2026

Cyber Essentials Plus

Planned — 2026

ISO 27001

Planned — 2027

SOC 2 Type II

Planned — 2027

GDPR Compliance

Active — Now

Responsible Disclosure

If you discover a security vulnerability in Aerie OS, please report it responsibly. We take all reports seriously and will respond within 48 hours.

Contact: security@aerie-tech.co.uk

Please do not disclose vulnerabilities publicly until we have had a chance to investigate and remediate. We are committed to working with security researchers to keep Aerie OS safe.

Security FAQ

Where is my data stored?

All data is stored in the UK (London) on Supabase with AES-256 encryption at rest. Static assets are served via Cloudflare's global CDN, but no customer data is stored at the edge.

Is Aerie OS GDPR compliant?

Yes. We are fully compliant with UK GDPR and the Data Protection Act 2018. All data processing happens within the UK, and we provide a comprehensive Data Processing Agreement.

Does Aerie hold SOC 2 or ISO 27001 certification?

Not yet. Cyber Essentials and Cyber Essentials Plus are planned for 2026. ISO 27001 and SOC 2 Type II are on the roadmap for 2027. We follow SOC 2 principles in our current development practices.

How does Aerie protect against data breaches?

Multi-tenant isolation via Row-Level Security, AES-256-GCM encryption with per-tenant keys, Cloudflare WAF with DDoS mitigation, MFA for all users, and automatic session expiry.

Can I report a security vulnerability?

Yes. Email security@aerie-tech.co.uk with details. We respond to all reports within 48 hours and operate a responsible disclosure process.