AethrionX is built for organizations that hold real customer data, operate under regulatory obligation, and require their vendors to operate to the same standard.
This page summarizes our security posture, governance approach, and the documentation available to enterprise security teams. Detailed reports, control mappings, subprocessor disclosures, and continuity documentation are available under NDA.
For security inquiries, vendor reviews, and coordinated disclosure: hello@aethrionx.com
AethrionX treats customer data as confidential by default and applies the protections required to meet contractual, regulatory, and customer obligations.
Customer data is encrypted in transit using TLS 1.2 or higher across all customer-facing and internal service links. Customer data is encrypted at rest using AES-256 or equivalent. Encryption keys are managed through cloud-native key management services with documented rotation procedures.
Every record in AethrionX is bound to a single customer organization. Tenant boundaries are enforced at the application layer, the data layer, and the infrastructure layer. Cross-tenant access is not permitted under any access pattern, including administrative operations.
AethrionX collects only the data required to deliver the service. Customer data is not used to train or improve AI models without explicit, contractual opt-in. Customer data is not sold, licensed, or disclosed to advertisers or data brokers under any condition.
Available for qualifying enterprise engagements. Region-specific deployment, retention windows, and processing constraints can be configured under enterprise contract.
Customer data is retained according to contractual terms and applicable regulatory obligations. On contract termination, customer data is deleted within documented timelines, with attestation of deletion available on request.
AethrionX is closed by default. Access to customer data, both inside the product and inside our internal systems, is granted on the principle of least privilege.
All in-product surfaces require authentication. Customer-side authentication supports password, single sign-on, and multi-factor methods, with SAML and SCIM provisioning available on enterprise plans.
Role-based access control is enforced across all sensitive operations. Permissions for assignment, deletion, billing, configuration, and audit functions are gated independently of base role assignment.
Production access by AethrionX personnel is limited to a documented set of authorized engineers, requires multi-factor authentication, is logged in full, and is reviewed on a defined cadence. Production access requires explicit business need and is not granted by default.
Inbound integrations are cryptographically verified before any data is processed. Outbound integrations are scoped to the minimum permissions required.
All authentication events, permission changes, and sensitive operations are logged with attribution, timestamp, and originating context. Logs are retained according to contractual and regulatory obligations and are available to enterprise customers on request.
AethrionX is operated on infrastructure provided by major cloud service providers, with hardening, monitoring, and operational controls maintained by AethrionX on top of the underlying platform.
All code changes are reviewed by a second engineer before merge. Dependencies are continuously monitored for known vulnerabilities. Static and dynamic analysis run as part of the build pipeline. Production deployments are gated on automated security checks.
Security findings are triaged, prioritized, and remediated according to documented service-level objectives based on severity. Critical vulnerabilities are remediated on an expedited timeline.
Independent third-party testing is conducted on a recurring basis, with summary letters available under NDA.
All credentials, API tokens, and signing keys are managed through secure configuration systems with documented rotation procedures and centralized revocation.
Production environments are segmented, with ingress and egress controlled at the network layer. Public-facing services are protected by web application firewall and DDoS mitigation.
Personnel devices accessing production systems are managed under documented endpoint protection and configuration baselines.
AethrionX honors the data protection rights granted under GDPR, CCPA/CPRA, and applicable regional regulations.
Authenticated users may exercise the rights of access, rectification, erasure, restriction, portability, and objection through documented procedures. Enterprise customers may exercise these rights on behalf of their users where contractually authorized.
A current Data Processing Addendum (DPA) is available to enterprise customers and may be executed alongside the master agreement. The DPA addresses cross-border data transfer, including Standard Contractual Clauses where required.
AethrionX uses a defined set of subprocessors to deliver the service, including hosting providers, communication and email providers, payment processors, and AI inference providers. The current subprocessor list is maintained internally and provided under NDA. Material changes to the subprocessor list are notified to enterprise customers before they take effect, with the opportunity to object.
AethrionX maintains an audit-ready record of decisions, configuration changes, and access events affecting customer data. This record is part of the platform's operational design — it is not assembled retroactively when an audit is requested.
Customer data is backed up according to a defined schedule. Backups are encrypted, geographically separated from primary systems, and tested through documented recovery exercises.
Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and are available under NDA.
Continuity procedures are documented, exercised on a defined cadence, and reviewed annually. Continuity documentation is available to enterprise customers under NDA.
AethrionX maintains a documented incident response process, with defined roles, severity classifications, and communication procedures.
In the event of a security incident affecting customer data, AethrionX will notify affected customers as soon as practicable, in accordance with contractual obligations and applicable regulatory timelines (including GDPR's 72-hour notification requirement where applicable). Post-incident reviews are documented and made available to affected customers on request.
Suspected security issues may be reported to hello@aethrionx.com. Coordinated disclosure is welcomed; AethrionX will not pursue legal action against good-faith security research conducted under our disclosure policy.
The following documentation is available to qualifying enterprise customers and prospects under a mutual non-disclosure agreement:
To request access, contact hello@aethrionx.com with your organization's name and the documentation required.
For security questions, vendor security reviews, coordinated disclosure of suspected vulnerabilities, or to request documentation under NDA:
We respond to all security inquiries. Vulnerability disclosures are acknowledged within one business day.