Security

1. Overview

AethelLayer implements administrative, technical, and organizational measures designed to protect information processed through our Services. This page describes our approach and YOUR responsibilities. It does not create contractual warranties beyond our Terms & Conditions.

Security documentation for enterprise or pilot customers may be provided under NDA upon written request to security@aethellayer.com.

2. Infrastructure and isolation

• Cloud infrastructure with industry-standard physical and environmental controls (provider-dependent).
• Encryption in transit via TLS 1.2+ for data transmitted over public networks.
• Encryption at rest for stored Customer Data using AES-256 or equivalent (where applicable to service tier).
• Logical tenant isolation for Private Pilot instances, including dedicated RAG namespaces and access controls.
• Network segmentation and least-privilege access for production systems.

3. Access control and authentication

• Role-based access controls (RBAC) for platform administration.
• Multi-factor authentication available or required for administrative access (deployment-dependent).
• Session management and automatic timeout for inactive sessions where configured.
• YOU are responsible for credential hygiene, SSO configuration, and revoking access for departed personnel.

4. Monitoring and incident response

We maintain logging and monitoring for security events. Alerts are triaged according to severity.

We will notify you of a confirmed personal data breach affecting your Customer Data without undue delay where required by law, subject to law enforcement or forensic constraints.

Report suspected vulnerabilities to security@aethellayer.com. Do not perform unauthorized testing. We may run coordinated disclosure programs at our discretion.

5. Subprocessors

We use vetted subprocessors for hosting, email, analytics, and support. A list is available upon request. We remain responsible for subprocessors' performance under applicable agreements.

You authorize subprocessors necessary to deliver the Services unless you object in writing within ten (10) days of notice of a material new subprocessor, in which case we may terminate affected Services without refund.

6. Compliance posture

We are actively preparing for SOC 2 Type II certification. Until achieved, NO CERTIFICATION OR AUDIT REPORT SHOULD BE INTERPRETED AS A WARRANTY OF SECURITY.

You are responsible for determining whether our controls meet your regulatory obligations (GDPR, UK GDPR, etc.) and for executing a DPA where required.

7. Customer security obligations

• Configure integrations with minimum necessary scopes and review OAuth grants regularly.
• Do not share admin credentials; enforce MFA for your organization where available.
• Classify data appropriately before ingestion; do not upload unlawful or excessive personal data.
• Review AI outputs before automated downstream actions (payments, terminations, legal filings).
• Maintain your own backups where business-critical.

8. Security disclaimer

NO SECURITY MEASURE IS FOOLPROOF. YOU ACKNOWLEDGE THAT INTERNET TRANSMISSION AND CLOUD STORAGE INVOLVE INHERENT RISKS. TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM LIABILITY FOR UNAUTHORIZED ACCESS, DATA LOSS, OR BREACH CAUSED BY: (A) YOUR MISCONFIGURATION; (B) THIRD-PARTY INTEGRATIONS; (C) CREDENTIAL COMPROMISE ATTRIBUTABLE TO YOU; (D) ZERO-DAY OR NOVEL ATTACKS BEYOND REASONABLE INDUSTRY PRACTICE; OR (E) FORCE MAJEURE.

Our liability for security incidents is capped as set forth in our Terms & Conditions.

9. Contact

Security inquiries: security@aethellayer.com