Security Policy

Version 4.0 - February 2025

This policy outlines: 1) Aptible's security practices and resources and 2) your security obligations.

Obligations under this policy (both ours and yours) are incorporated by reference into the [Aptible Terms of Service].

Our Obligations

Without limiting any provision of the Aptible Terms of Service, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access, or disclosure.

Your Obligations

Our documentation may specify restrictions on how the Services may be configured or specifications for Aptible Container Services such as Apps. You agree to comply with any such restrictions or specifications.

You are responsible for properly configuring and using the Services and taking your own steps to maintain appropriate security, protection, and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routinely archiving Your Content. Aptible provides many built-in controls for you, as discussed herein. Where configurable or optional security controls (such as encryption) are offered as part of the Services, you are responsible for configuring or enabling those controls. You are ultimately responsible for determining whether the security controls applied to your Applications and data are sufficient for your requirements.

Aptible access credentials and private keys generated by the Services are for your internal use only. You may not sell, transfer or sublicense them to any other entity or person, except that you may disclose your private key to your agents and subcontractors performing work on your behalf.

Pursuant to Section 2 of the Aptible Terms of Service, you will not use the Services to create, receive, maintain, or transmit electronic HIPAA PHI or GDPR Personal Data without the corresponding agreement legal agreement (HIPAA Business Associate Agreement or GDPR Data Processing Addendum) in place between you and Aptible.

Penetration Testing Authorization

You may conduct penetration tests of your dedicated Deploy Stacks. Aptible's underlying infrastructure is covered by the "Permitted Services" listed in AWS's Penetration Testing Policy, and you are responsible for adhering to their policy.

If your testing falls under AWS's definition of Other Simulated Events, you must have this activity pre-approved by Aptible, who will submit a request for authorization with AWS.

Reporting Security Vulnerabilities

If you discover a potential security vulnerability, please see our policy on Responsible Disclosure. We strongly prefer that you notify us in private. Publicly disclosing a security vulnerability without informing us first puts the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue. Thank you!

Data Center Security

Aptible runs on the Amazon Web Services global infrastructure platform.

The guidance provided by AWS on Best Practices for Security, Identity, & Compliance serves as the reference material for this section.SOC 2 reports are available directly from AWS upon request.

Compliance

AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including SOC 1/SSAE 16/ ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1.i. Additionally, AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS, for a full list of programs, see AWS Compliance Programs.

We can confirm that all AWS services can be used in compliance with the GDPR. This means that, in addition to benefiting from all of the measures that AWS already takes to maintain services security, customers can deploy AWS services as a part of their compliance plans. AWS offers a Data Processing Addendum (DPA) in the AWS Service Terms that applies automatically, whenever AWS customers use AWS services to process personal data uploaded to their AWS account.

p. 7 - Introduction to AWS Security - AWS Whitepaper

Physical Security

Employee Data Center Access

AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Third-party data center access

Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. These requests are approved by authorized personnel, and access is revoked after request time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorized staff.

 AWS data centers - Our Controls - Physical Access

Operational Support Systems

Power

AWS  data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. AWS ensures data centers are equipped with backup power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.

Climate and Temperature

AWS data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Fire Detection and Suppression

AWS data centers are equipped with automatic fire detection and suppression equipment. Fire detection systems utilize smoke detection sensors within networking, mechanical, and infrastructure spaces. These areas are also protected by suppression systems.

Leakage Detection

In order to detect the presence of water leaks, AWS equips data centers with functionality to detect the presence of water. If water is detected, mechanisms are in place to remove water in order to prevent any additional water damage.

AWS data centers - Our Controls - Operational Support Systems

Aptible Network Security

Please see our Reference Architecture Diagram for an explanation of the terms in this section.

Secure Architecture

Aptible stacks run in separate AWS Virtual Private Clouds. Each stack is an isolated network. Most services run in a private subnet. Only SSL/TLS Endpoints and a bastion host are exposed to the Internet. Backend users connect to the stack through the bastion host, which restricts access to stack components and logs activity for review.

Firewalls

All public-facing EC2 instances use inbound Security Group rules configured in deny-all mode. Ports are opened as necessary for: administrative SSH access, Aptible SSH Portal Access, and Redis. Public-facing Aptible Endpoints (which consist in part of an AWS load balancer) are configured to allow traffic on all ports but only listen on the specific ports required for functionality (e.g., 80 and 443 for an HTTPS Endpoint).

DDoS Protection and Mitigation

Aptible's VPC-based approach means that most stack components are not accessible from the Internet, and cannot be targeted directly by a DDoS attack.

Aptible SSL/TLS Endpoints include an AWS Elastic Load Balancer, which only supports valid TCP requests, meaning DDoS attacks such as UDP and SYN floods will not reach your App layer.

p.16 - AWS Best Practices for DDoS Resiliency - AWS Whitepaper

Port Scanning

AWS monitors and stops unauthorized port scanning. Because most of an Aptible stack is private, and all hosts run strict firewalls, port scanning is generally ineffective.

Spoofing

Every packet flow on the network is individually authorized against a rule to validate the correct source and destination before it is transmitted and delivered. It is highly improbable for information to arbitrarily pass between entities without specifically being authorized by both the transmitting and receiving entity. If a packet is being routed to a destination without a rule that matches it, the packet is dropped. Reply addresses must be valid or the packet is dropped. Moreover, while address resolution protocol (ARP) packets trigger an authenticated database look-up, ARP packets never hit the network as they are not needed for discovery of the virtual network topology. This means ARP spoofing is highly improbable on the AWS network. 

p. 7- VPC and Accompanying Features

Network and Host Vulnerability Scanning

Aptible scans both the Internet-facing network and private network of a master reference stack each month. Aptible is responsible for network and host security, and remediates adverse findings without customer intervention; however, you may request a scan of your dedicated VPC and its hosts as needed for your own security assessments and audits. The scope of this scan is limited to the underlying Aptible architecture and does not include your Apps, Databases, or Endpoints.

Aptible Platform Security

Configuration and Change Management

For App Services that have an SSL/TLS Endpoint attached, Aptible performs a health check on the container set before promoting it to the current release. If the health check fails, the container set is not promoted. Regardless of the outcome, the deployment process ensures no downtime..

For any deployment, you can roll back to a previous codebase by pushing a different ref to your App's Git endpoint.

Isolation

Dedicated Aptible environments are deployed on AWS VPC-based dedicated stacks, isolated at the customer level. The VPC, network, underlying instances, and AWS virtual infrastructure for your dedicated stack are not shared with any other tenant.

Logging and Monitoring

Aptible logs AWS and Aptible API activity, and host activity within your stack. Aptible monitors performance indicators such as disk, memory, compute, and logging issues, and automatically resolves them on your behalf.

Intrusion Detection & Prevention

Aptible [Managed Host-based Intrusion Detection (HIDS)] is installed on each host that runs your containers by default and will detect potential intrusions and other anomalous activities.

The Aptible Security Team monitors and investigates each event to determine the legitimacy of all activity. Crucially, the Aptible Security Team immediately responds to and resolves any issues that are discovered through investigation of anomalous activity and will notify you of any remediation steps taken.

You can optionally subscribe to the Aptible HIDS Compliance Report to provide your customers and auditors with evidence that you are using HIDS to monitor, analyze, and remediate security events.

Host Hardening

Aptible host operating systems are hardened based on the Center for Internet Security's Security Configuration Benchmark for the OS and version in use. For all operating systems:

• Operating systems are installed on hosts only from bare images, and only via automated configuration management. Services installed can be enumerated upon request.

• Host password logins are disabled. SSH root keys are not permitted.

• No user SSH keys are permitted on hosts by default. Aptible internal workforce user access is configured only on a per-user basis, and only when necessary to provide customer support or platform maintenance.

• Swap is disabled to avoid writing in-memory secrets to unencrypted volumes.

• Command history for shell sessions is disabled.

• Non-default SSH ports are used.

• No password-based services are installed automatically. Password-based services (such as PostgreSQL) are provisioned only with unique, per-resource, Aptible-generated passphrases. No default passwords are permitted.

• Host security updates are automated.

• All host ports are opened only via whitelist.

Your Code

SSH public key authentication is used to limit access to your authorized backend users during git-based deploys. Following a successful push to an Aptible Git endpoint, code is copied down to your stack's build layer. The resulting images are pushed to a private stack registry backed by AWS S3, which provides redundant, access-controlled storage.

Databases

Databases run in the Database layer of your stack, on a private subnet accessible only from the App or bastion layer. SSL/TLS is required if the Database protocol supports it. Disk volumes backing Databases are encrypted at the filesystem level using Aptible-managed AES encryption. Aptible manages the creation, access security, and destruction of encryption keys. You can check whether your Database uses AES-192 or AES-256 in the Aptible dashboard. You can rekey the Database by dumping/restoring it at any time. You may implement additional controls, such as Database security policies or row-/column-level encryption with keys you manage.

Aptible Penetration Testing

Aptible conducts penetration testing of the Aptible infrastructure at least annually. These tests consist of open-ended, best-effort security assessments performed by qualified third-party testing firms that specialize in cloud and containerized infrastructures. Aptible customers can request a redacted version of the penetration tests. The testers review the Aptible architecture, are given full read access to Aptible source code (and access to the Aptible engineering team to answer questions throughout the test), and are given privileged internal (i.e., backdoor) access to a sandbox Aptible environment. From this context, the testers attempt to identify vulnerabilities in Aptible's control plane, core API, authentication API, and related Aptible services.

You may conduct testing of your dedicated Aptible Stacks and containerized applications as described above (“Penetration Testing Authorization”).

Aptible Vulnerability Remediation

All vulnerabilities are classified by severity according to the level of risk they present to the confidentiality, integrity, and availability of Aptible services and customer data. Vulnerabilities are remediated on a timeline commensurate with the severity:

• Critical - within 24 hours

• High - within 7 days

• Medium - within 30 days

• Low - within 90 days

Aptible Business Continuity

Backups

Aptible automatically backs up several different types of data:

• Customer Aptible App code and the container images built from that code are stored in private, redundant, access-controlled registries. Aptible recommends that you maintain the canonical version of your codebase in a distributed version control system, such as GitHub. In the event of an app-level outage, Aptible automatically restores services from registry backups.

• Customer metadata is stored in the Aptible APIs, backed by the Amazon Relational Database Service. This metadata includes customer account data (passwords, permissions, SSH keys), and Aptible configuration data, such as environmental variables. Backups are taken nightly and retained for one week.

• Aptible customer Database disks are automatically backed up every 24 hours and retained as per the policy defined by each customer. No customer action is required for the automated backups to be generated. In addition to defining the retention period, customers can also specify that we should make two copies of each backup: One in the region where the Database runs, to facilitate fast disaster recovery; the other in a separate geographic region to protect against loss of the original region. Customers may also take on-demand backups. Please see the Aptible Database backup documentation for more information.

Fault Tolerance

AWS data centers are clustered into regions, and sub-clustered into availability zones, each of which is designed as an independent failure zone, meaning they are:

• Physically separated

• Located in lower-risk flood plains

• Equipped with independent uninterruptible power supplies and onsite backup generators

• Fed via different grids from independent utilities, and

• Redundantly connected to multiple tier-1 transit providers

For dedicated environments, Aptible automatically distributes App containers across availability zones when a service is scaled to more than one container.

High Availability

Aptible allows you to set up high-availability clustering for Databases that support it.

App services on v2 stacks are automatically distributed across AWS availability zones as soon as they are scaled to more than one container.

Disaster Prevention and Recovery

Aptible monitors the stability and availability of customer infrastructure and automatically recovers from disruptions, including App and Database failures, as long as the customer has not explicitly disabled such backups. In the event of a disaster, Aptible restores Apps from the last healthy build image and restores data from the last backup. In the event of a Database outage, Aptible will automatically recover the underlying Database instance and disk. If the disk is unavailable, Aptible will restore from a backup. Raw Database snapshots and restored Database clones are available upon request for testing and recovery.

Aptible Internal Security

Aptible Access

We do not access or use Your Content for any purpose other than for developing and operating the Services and as required by law. As a routine matter, Aptible workforce members do not require access to data processed by your Aptible Containerized Services, such as data stored in your Databases. Aptible workforce members are granted least-privilege access to customer environments only when a specific business need arises. Workforce members undergo criminal background screening before hire. In some cases, such as Aptible Databases, you may encrypt Your Content using keys you manage.

Security Management

Aptible manages information security consistent with SOC 2, HITRUST, and applicable legal and regulatory requirements such as HIPAA and GDPR.

The subsequent information is available for review under NDA in our Trust Center:

• Aptible’s HITRUST CSF stand-alone certification letter.

• Aptible’s current SOC 2 Type 2 report and HITRUST CSF Validated Assessment Report are available under NDA to customers only.

• Latest Penetration Test Report

Aptible encourages security researchers to participate in our Responsible Disclosure Program for security vulnerabilities.