Security & Compliance

Data protection

Encryption at rest using AES-256
TLS 1.2+ enforced for all traffic in transit
Per-tenant data isolation from the application layer to the database
Secrets managed via HSM-backed key management
Automated backups with point-in-time recovery

Access control

Role-based access control scoped per tenant and per environment
SSO via SAML 2.0 and OIDC for admin users
Scoped API keys with least-privilege permissions
Audit log for every admin action and API call
Hardware token support for privileged operations

Network and infrastructure

Deployed across multiple regions with failover
Private networking for all inter-service traffic
Web application firewall and DDoS protection
Regular penetration testing by independent third parties

Certifications & Frameworks

SOC 2 Type II - annual audit covering security, availability, and confidentiality
ISO 27001 - certified information security management system
PCI DSS (SAQ-A) - tokenization and hosted-fields patterns keep card data out of scope
GDPR - data processing agreements, DPIA support, and EU data residency
CCPA/CPRA - consumer rights, deletion, and export APIs
PSD2 / SCA - strong customer authentication handled at the PSP layer
LGPD, PIPL, POPIA - regional data protection supported via storefront policies

Customer controls

Data residency by region (EU, US, APAC)
Customer-managed encryption keys on Enterprise plans
Configurable data retention per tenant
Export, portability, and right-to-deletion APIs

Responsible disclosure

Report security issues to security@azotte.com. PGP public key available on request. We acknowledge reports within 24 hours and aim to resolve valid reports within 30 days. A bug bounty program is available for security researchers in good standing.

Audit reports & questionnaires

SOC 2, ISO 27001, and filled security questionnaires are available under NDA. Contact trust@azotte.com.