Our Security Approach

Data Encryption

Encryption is foundational to the platform design:

• Encryption at Rest: Sensitive data stored within AppDeck is encrypted using AES-256.
• Encryption in Transit: Data transmitted between users and AppDeck, and between our internal services, is protected using TLS 1.3 or higher.

Compliance Roadmap

We are designing AppDeck so that formal audits are a matter of observation, not retrofit:

• SOC 2 Type II: We are designing the platform against SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). A formal Type II audit requires a 6-12 month observation window of production controls — we plan to pursue this ahead of our first enterprise customer commitment.
• GDPR: Our data handling design follows GDPR principles — lawful basis, data minimization, right to access and deletion, and breach notification. We will sign a DPA with customers in scope.
• HIPAA: Not currently in scope. If you have PHI workloads, let us know and we can discuss timeline.

Access Controls & Authentication

The platform is being built with granular access control as a first-class feature:

• Role-Based Access Control (RBAC): Custom roles and permissions so users only see what their role requires.
• Two-Factor Authentication (2FA): Additional authentication factor available for all accounts.
• Single Sign-On (SSO): Planned support for SAML-based identity providers (Okta, Azure AD, Google Workspace). Not yet generally available — ask about timeline in your demo request.

Infrastructure Security

AppDeck runs on mainstream cloud infrastructure with a defense-in-depth posture:

• Cloud Environment: Hosted on a leading cloud provider with enterprise-grade physical and network security.
• Network Security: Firewalls and DDoS mitigation at the provider edge.
• Vulnerability Management: Dependency scanning, automated security patching, and periodic third-party review planned ahead of GA.
• Backup and Recovery: Automated backups with a documented recovery procedure.

Data Privacy

We are committed to handling your data transparently. Our current practices are outlined in our Privacy Policy; we will update it as the product matures and will notify customers of material changes.

Incident Response

We are documenting an incident response process covering detection, containment, customer notification, and post-incident review. Early-access customers will receive the current version of this document on request.