Last Updated: November 19, 2025
Overview
All security controls listed below are fully operational. Our infrastructure providers (Vercel, Neon, Clerk) maintain SOC 2 Type II certification.
Infrastructure Security
| Control |
Status |
Notes |
| Cloud hosting with SOC 2 providers |
Implemented |
Vercel, Neon, Clerk |
| TLS 1.3 encryption in transit |
Implemented |
Automatic via Vercel |
| AES-256 encryption at rest |
Implemented |
Neon default |
| Database access controls |
Implemented |
Role-based access controls |
| DDoS protection |
Implemented |
Vercel edge network |
Backup & Recovery
| Control |
Status |
Notes |
| Daily automated backups |
Implemented |
00:00 UTC daily |
| 14-day backup retention |
Implemented |
Rolling retention |
| Point-in-time recovery |
Implemented |
14-day window |
| Documented recovery procedures |
Implemented |
In incident response plan |
| Tested disaster recovery |
Implemented |
Annual testing completed |
Access Control
| Control |
Status |
Notes |
| Least privilege access |
Implemented |
Role-based access |
| MFA for all internal systems |
Implemented |
Google 2FA required |
| Secrets in encrypted storage |
Implemented |
Vercel env vars + 1Password |
| No secrets in source code |
Implemented |
Environment variables only |
| Offboarding checklist |
Implemented |
Documented in access control policy |
| Quarterly access reviews |
Implemented |
Quarterly reviews conducted |
Authentication
| Control |
Status |
Notes |
| Secure password hashing |
Implemented |
bcrypt via Clerk |
| MFA available for users |
Implemented |
TOTP, SMS |
| Enterprise SSO (SAML/OIDC) |
Implemented |
Via Clerk |
| Brute-force protection |
Implemented |
Rate limiting, lockout |
| MFA required for enterprise |
Implemented |
Enforced via Clerk |
Monitoring & Logging
| Control |
Status |
Notes |
| Error monitoring |
Implemented |
Sentry |
| Application analytics |
Implemented |
PostHog |
| Authentication event logging |
Implemented |
Via Clerk |
| Security event logging |
Implemented |
90-day retention |
Data Protection
| Control |
Status |
Notes |
| Data retention policy |
Implemented |
30-day deletion on request |
| Data segregation by customer |
Implemented |
Logical separation |
| Privacy policy published |
Implemented |
app.aurium.ai/terms/privacy |
| DPA available |
Implemented |
Template in this package |
