Security

At Aeris, we are committed to ensuring the highest level of security when handling Customer Data. This document outlines the internal security standards we apply to all customer-provided data, both personal and non-personal (Customer Data), ensuring confidentiality, integrity, and availability. These standards align with ISO/IEC 27002, NIST, CIS Controls, and industry best practices.

We have in place appropriate technical and organizational measures to protect the systems and the data in all stages of their life cycle, which includes adoption of “security by design” principle in all stages of our development, service delivery and service operations.

These standards apply applies exclusively to Customer Data. This document does not cover Aeris’s internal data (e.g., Aeris employee data, corporate records).

3.1   Governance & Risk Management

• We maintain a formal Information Security Management System (ISMS) that governs data security operations.
• We continuously assess and mitigate risks related to Customer Data, leveraging intelligence on emerging threats.
• A structured change management process ensures that security risks are evaluated before implementing system changes.
• Compliance with legal, contractual, and regulatory requirements is continuously monitored.

3.2   Access Control

• Customer Data access follows the principle of least privilege (PoLP), meaning only authorized personnel with a legitimate business need can access it.
• Multi-factor authentication (MFA) is in use for privileged access to systems classified based on sensitivity.
• Access rights are reviewed periodically and revocation of access for departing users is following our access control process.
• Role-based access controls (RBAC) are used to segment access based on job responsibilities.

3.3   Data Protection & Encryption

• Customer Data is classified based on sensitivity and protected accordingly.
• All data is encrypted at rest and in transit using industry-leading encryption protocols (e.g., AES-256, TLS 1.2/1.3, IPsec VPN).
• Secure file transfer mechanisms (SFTP, VPN, HTTPS) are used to ensure encrypted communication.
• Data retention policies ensure that Customer Data is securely deleted when no longer required.
• All traffic over public networks such as the Internet is encrypted. Private networks such as leased lines are defined as trusted and secure networks. Therefore, traffic over private networks is not encrypted.
• Data at rest is protected by implementing multiple physical and logical controls. These controls reduce the risk of unauthorized access or mishandling of information and privacy data, which might affect its confidentiality, availability, and integrity.
• Strict physical access controls to the data centers are followed by subsequent logical security controls, including access management, controlled authentication, the encryption of databases, disk encryption, firewalls, network segmentation, data retention, the secure disposal of data and specific security manual routines.
• Data at rest in the centralized storage is protected with hardware encryption or software encryption.
• We are using Google Cloud service data, which is secured in transit, providing authentication, integrity, and encryption through the use of TLS over HTTPS. Access control management, cryptography, and data retention policies are implemented. The encryption and protection of data is ensured along the standard GCP policy. All data stored by Google™ is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256.

3.4   Vulnerability & Threat Management

• We employ continuous vulnerability scanning and apply regular security patches to mitigate known threats.
• Penetration tests are performed routinely, addressing risks identified in OWASP Top 10 and MITRE ATT&CK frameworks.
• Malware detection and Endpoint Detection & Response (EDR) solutions continuously monitor threats.
• IoT-A environments follow a segmented architecture with firewalls and intrusion detection to prevent unauthorized access.

3.5   Incident Response & Business Continuity

• We maintain a Security Incident Response Plan (SIRP) to handle security incidents effectively.
• Customers are promptly notified of any security breaches affecting their data, in accordance with regulatory obligations.
• Business continuity and disaster recovery (BCDR) plans ensure minimal disruption in case of a security event.
• Regular security drills and simulations are conducted to test response readiness.

3.6   Secure API & Platform Access

• All API endpoints require authentication, authorization, and encryption (OAuth 2.0, JWT, TLS).
• API rate-limiting, logging, and monitoring for anomalies help prevent abuse and unauthorized access.
• Service portals require strong password policies, CAPTCHA protections, and session timeouts to mitigate brute-force attacks.

3.7   Third-Party & Vendor Security

• Vendors handling Customer Data must meet Aeris’s security compliance requirements, including adherence to ISO 27001 or equivalent standards.
• Third-party security assessments and audits are conducted to verify ongoing compliance.
• Cloud service providers must enforce data residency, encryption, access controls, and incident response capabilities.

3.8   Compliance & Legal Requirements

• We adhere to relevant data protection laws (including GDPR and CCPA), ensuring compliance with regional regulations.
• Regular internal and external audits validate adherence to security standards.
• Security training and awareness programs ensure that employees are continuously educated on best practices.