Skip to content
AperioTry FP&A free

Legal

Security & Compliance

Last updated: April 25, 2026

The controls we run, the certifications we work toward, and how we handle your financial data. For SOC 2 reports, data-processing addenda, or custom attestations — write to security@aperio.finance.

Encryption

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Credentials are never logged. API keys and secrets are stored in managed secret stores.

Authentication and access

We support email-based magic link authentication and SSO (SAML 2.0) for Team and enterprise plans. Session tokens use industry-standard rotation and expiry.

Role-based access controls apply at the workspace level. Employee access to production systems requires hardware security keys, is logged, and is reviewed quarterly.

Infrastructure

Hosted on Vercel and Supabase, both of which maintain SOC 2 Type II certifications. Databases are provisioned in hardened configurations with network-level isolation.

Automated daily backups with point-in-time recovery up to 7 days for production data. Disaster-recovery runbooks are tested twice per year.

AI and inference

AI features are delivered by Anthropic and OpenAI. Customer data sent for inference is processed under their respective data-processing addenda and is not retained for training.

Prompts and completions related to customer data are stored in our systems subject to the same retention and deletion policies as other customer data.

Vulnerability management

We run automated dependency scans on every commit and have a documented process for triaging and patching vulnerabilities. Critical vulnerabilities are remediated within 24 hours.

We welcome responsible disclosure. Report findings to security@aperio.finance. We respond within 24 hours.

Compliance roadmap

We operate against SOC 2 Type I controls today, with Type II certification targeted as audit evidence accumulates.

GDPR and CCPA processes are in place. HIPAA and additional certifications are available for enterprise engagements on request.

Incident response

All customer-affecting incidents are documented at /status with root-cause analysis within five business days. Severe incidents are communicated proactively by email.

We maintain a 24/7 on-call rotation for production outages.

Data residency and deletion

Production data lives in US regions by default; EU residency is available on Team and enterprise plans.

Data deletion requests are honored within 30 days of verification. Backup purges complete within 90 days thereafter.

Subprocessors

Current subprocessors: Vercel (hosting), Supabase (database + auth), Resend (transactional email), Lemon Squeezy (billing), Anthropic + OpenAI (AI inference), PostHog (product analytics).

We notify customers by email before adding new subprocessors that process customer data.

Questions?

Contact us at security@aperio.finance.