Security Policy

Last updated: April 2025

At Aude, the security of your data is our highest priority. We incorporate industry-leading security practices across our platform, infrastructure, and operations. This document details our security measures, data handling processes, and compliance commitments.

---

🔐 Overview

Security, reliability, privacy, and compliance underpin everything we do at Aude. Our approach combines best practices informed by industry standards and deep expertise from leading global software companies.

---

📑 Organizational Security Controls

Employee Access and Training

• Access to customer data is strictly limited to authorized personnel and is on a need-to-know basis.

• All employees complete regular security awareness training, emphasizing confidentiality and responsible data handling.

• Criminal background checks are conducted for employees with access to customer data.

Confidentiality

• Employees are required to sign confidentiality agreements to ensure proprietary and customer information remains protected.

---

☁️ Cloud Infrastructure

Hosting Provider

• Aude services are hosted using industry-standard cloud infrastructure providers (e.g., AWS, GCP).

• Data centers are regularly audited and meet compliance standards including SOC 2 Type II, ISO 27001, and GDPR readiness.

• Infrastructure providers offer physical and logical security measures, redundancy, and robust disaster recovery capabilities.

Data Residency

• Aude currently stores customer data in Australia (AWS ap-southeast-2) with regular backups for disaster recovery purposes.

Encryption

• All data is encrypted using AES-256 encryption at rest.

• Data in transit is secured with TLS 1.2 or higher.

---

🛠️ Technical Security Measures

Secure Software Development

• Secure coding practices and regular static code analysis are implemented throughout our software development lifecycle.

• Dependencies are continuously monitored for known vulnerabilities.

Network and Application Security

• Infrastructure is isolated behind multiple layers of firewalls.

• Application servers and databases are logically separated to further mitigate risk.

• User access to the platform requires authenticated sessions using HTTPS.

Authentication and Access Control

• Aude supports Single Sign-On (SSO) via OAuth protocols.

• Multi-factor Authentication (MFA) is enforced for all administrative access.

• Passwords and sensitive credentials are never stored in plaintext.

---

📂 Data Collection and Handling

Data We Collect

• Aude collects and processes only the data necessary to provide our services, including:

  • Source code and repository metadata

  • Issue tracking data (e.g., Jira ticket context)

  • Basic user account information for authentication (name, email)

Data We Do Not Collect

• Sensitive personal data or credentials beyond what is explicitly required for authorized integrations.

---

🔍 Logging, Monitoring, and Audit

System Monitoring

• Real-time monitoring and logging to detect unauthorized activities or anomalies.

• Security incidents trigger alerts and immediate response procedures.

Audit Logging (Planned)

• Detailed audit logs are maintained, tracking access and system activities.

Security Incident and Event Management (SIEM)

• Integration capabilities with common SIEM platforms for enterprise customers.

---

🚨 Incident Management

Incident Management

• We have a clearly defined incident response plan to rapidly detect, investigate, mitigate, and communicate security incidents.

• Customers are notified within 24 hours of confirmed security incidents impacting their data.

Responsible Disclosure

• Aude welcomes security reports and vulnerabilities via our responsible disclosure program. Report issues securely at: Daniel@aude.app

---

📜 Compliance and Certifications

• SOC 2 Type I Certification: In progress, expected completion end-2025.

• GDPR Compliance: Aude does not store personal data of users, and is not subject to GDPR.

• ISO 27001 Certification: Planned for early 2026.

---

🔄 Subprocessors and Third-party Management

• Aude maintains an updated list of subprocessors (such as cloud hosting providers, logging platforms).

• All subprocessors undergo thorough security assessments before onboarding.

• List available on request: Daniel@aude.app

---

⚖️ AI Processing and Data Governance

• No data retention or model training: Customer data is strictly used for service delivery and never utilized to train AI models.

• Requests to AI providers are transmitted individually over encrypted channels (TLS).

• Data isolation ensures customer-specific information remains confined to customer-specific instances.

---

❌ Exclusions and Limitations

This policy does not cover:

• Data or interactions with third-party services that are not explicitly integrated within Aude.

• Data stored outside of Aude’s platform or control (e.g., customer VPNs or third-party networks not managed by Aude).

---

📮 Contact and Reporting Security Issues

For security inquiries, reporting vulnerabilities, or additional documentation, please contact:

• Daniel@aude.app

Aude is committed to transparency, security excellence, and protecting your valuable data assets. Thank you for placing your trust in us.

---

🔗 Policy Updates

We regularly review and update this policy. Changes will be communicated via the Aude support website.