Aptus builds and operates managed software products for small and medium businesses. We take the security and privacy of your data seriously. This page describes how we protect the data entrusted to us by our clients and their users.
This page covers client and product data. For how we handle visitors to aptusops.com itself, see our Privacy Policy.
Infrastructure & Hosting
All Aptus products are hosted on enterprise-grade infrastructure operated by providers who maintain SOC 2 Type II certifications. We do not operate our own data centers.
- Hosting:Vercel — edge network with automatic HTTPS (SOC 2 Type II certified infrastructure)
- Database & Storage: Supabase — built on AWS us-east-1 (SOC 2 Type II certified infrastructure)
- Encryption in transit: TLS 1.2+ on all connections
- Encryption at rest: AES-256 via infrastructure provider defaults, including database backups
Access Controls
- Platform access is protected by authentication with role-based permissions (e.g., admin, manager, read-only) defined per product
- Provider access to production environments is limited to Aptus’s managing member via authenticated dashboard with MFA enabled
- All API keys, service account credentials, and secrets are stored in encrypted environment variables — never committed to source code
- All personnel with access to client data are subject to confidentiality obligations
Development Practices
- All code is maintained in private repositories under the Aptus-LLC organization
- Every build runs a 49-item security audit across 8 categories covering API routes, authentication, data handling, OWASP headers, frontend, external services, database, and infrastructure
- Supply chain hardening: 7-day package-age gates, install-script blocking, exact version pinning, and automated dependency audits on every build
- CI/CD pipeline: SHA-pinned GitHub Actions, automated testing, and build verification. All production deployments are reviewed before merge
- Every project starts from a standardized template with authentication, middleware, monitoring hooks, and safety gates built in
- Development, staging, and production environments use separate databases and credentials
Sub-Processors
Aptus may use the following third-party services to deliver its products. Not every product uses every service — the sub-processors applicable to your product are identified in your Statement of Work.
| Service | Purpose |
|---|---|
| Supabase | Database, storage, authentication |
| Vercel | Hosting, CDN, serverless functions |
| Stripe | Payment processing |
| Twilio | Voice & SMS (where applicable) |
| Sentry | Error monitoring |
| Resend | Transactional email |
| Anthropic / OpenAI | AI assistance (chat, content where applicable) |
We notify clients before adding new sub-processors. We minimize personal data transmission in all integrations.
Monitoring
- Uptime monitoring: Automated checks with alerts on downtime
- Error monitoring: Real-time error detection and diagnostics
- Logging:Application logs maintained through hosting infrastructure
- Uptime target:99.5% monthly (details in each client’s Service Level Agreement)
Data Handling
- Client ownership: Clients own their data. Aptus has no ownership claim to client data or materials.
- Purpose limitation: We access client data solely to deliver, maintain, and support the contracted services.
- Data minimization:We collect and retain only the data necessary to operate the product as described in each client’s Statement of Work.
- Anonymized data:We may use anonymized, aggregated, non-identifiable patterns solely for improving our own products and services. We do not sell or resell aggregated data.
Data Retention & Deletion
Upon termination of a client engagement:
- Clients may request a full data export in standard format (CSV/JSON) within 30 days of termination
- Client data is permanently deleted from active systems within 30 days of termination
- Automated backups containing client data are overwritten on their normal rotation schedule (typically within 30 additional days)
- We confirm deletion in writing upon request
Incident Response
In the event of a confirmed security incident affecting client data:
- We notify the affected client within 72 hours of confirmation
- Notification includes: nature of the incident, categories and approximate number of records affected, measures taken or proposed, and a designated contact
- We cooperate with client investigation and remediation efforts
- Where a DPA is in effect, full incident response procedures are governed by the DPA
Privacy Compliance
- For clients subject to Quebec Law 25, PIPEDA, or other privacy regulations, we offer a Data Processing Addendum (DPA) that establishes contractual safeguards for cross-border data transfers, sub-processor obligations, and data subject rights assistance
- We assist clients with data subject access, correction, deletion, and portability requests
- We support clients in conducting Privacy Impact Assessments by providing information about our data processing practices, security measures, and sub-processor details
Questions
For security or privacy questions, contact us at nima@aptusops.com.
This document is a summary of Aptus LLC’s security and privacy practices and is reviewed and updated periodically. Client-specific obligations are governed by the Master Service Agreement, applicable Statement of Work, Service Level Agreement, and Data Processing Addendum (where executed).