Security

How we protect your data.

Your clients’ trust is your business. Our job is to make sure our platform never costs you any of it.

Data handling

  • Encryption in transit: TLS 1.3 everywhere. HSTS preload on all customer-facing domains.
  • Encryption at rest: AES-256 on primary databases, object storage, call recordings, and backups.
  • Key management: AWS KMS with automatic rotation. Segregated keys per tenant for multi-location customers.
  • Network isolation: All production traffic flows through private subnets. No publicly exposed databases.
  • Backups: Point-in-time recovery for 30 days. Daily snapshots retained for 1 year.
  • Payments: Card data never touches Aaptly servers — handled directly by Stripe (PCI-DSS Level 1 service provider).

Access control

  • Role-based access per user (Owner / Manager / Provider / Receptionist) with granular per-field permissions.
  • SSO (SAML + OAuth) available on Growth — Okta, Azure AD, and Google Workspace supported.
  • Every privileged action (payment refund, client-record edit, sensitive-data access) logged with timestamp, user, and IP.
  • Customer-facing audit log available on Growth.

HIPAA-aware intake (for med spas and clinical workflows)

Our intake and consent flows are designed for the kinds of records med spas and clinical operators handle every day:

  • E-signed consent waivers attached to the client record.
  • Encrypted medical-history fields with per-record audit logging.
  • Field-level access controls so a front-desk role can’t read a clinical note.
  • Transcript and call-recording retention policies you can configure per studio.

Important:operating in compliance with HIPAA also requires a signed Business Associate Agreement (BAA) and the right operational policies on your side — not just a piece of software. If you handle protected health information, contact us before you go live so we can walk through what we sign and what your team needs to put in place.

Testing & incident response

  • Continuous automated vulnerability scanning and dependency monitoring.
  • On-call engineering rotation for production incidents.
  • Status page at status.aaptly.com with proactive customer notifications during incidents.
  • Penetration testing on a recurring cadence; reports available under NDA on request.

Report a vulnerability

Found something? Email security@aaptly.com. We acknowledge within 24h, triage within 72h, and credit researchers in our responsible-disclosure hall of fame.

Security questions before you sign?

We're happy to walk through architecture, sub-processor lists, and our data-handling practices with your team.

Talk to securityBook a revenue leak audit