Security

Encryption

In Transit

All traffic between your browser, API clients, and AECARO servers is encrypted using TLS 1.3. We enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. API endpoints require TLS 1.2 minimum, with TLS 1.3 preferred. Our TLS certificates are managed automatically through Vercel's edge network.

At Rest

Data stored in our PostgreSQL database (Neon) is encrypted at rest using AES-256. Database encryption keys are managed by Neon's key management infrastructure and are separate from application access controls. File storage and backup archives are encrypted with the same standard.

API Keys

LLM API keys you provide (BYOK) are encrypted at rest using AES-256-GCM with application-layer encryption before being stored in the database. Keys are decrypted only in memory at agent runtime. Our encryption key is rotated every 90 days. Decrypted keys are never written to logs or error traces. Only the last four characters of each key are visible in the dashboard for identification.

Infrastructure

AECARO is built on modern, battle-tested infrastructure with security built into every layer:

Authentication & Access Control

User Authentication

AECARO uses Clerk for authentication, supporting email/password, Google OAuth, GitHub OAuth, and enterprise SSO (SAML 2.0 / OpenID Connect on Team and Enterprise plans). Multi-factor authentication (TOTP) is available and recommended for all accounts.

Session Management

Sessions expire after 7 days of inactivity. Users may revoke all active sessions from account settings. API sessions use short-lived tokens (1 hour) with refresh token rotation.

Role-Based Access

Agency accounts support role-based access: Owner, Admin, and Member roles with granular permissions for client management, billing, and agent configuration. Audit logs track all role changes and sensitive actions.

Compliance

SOC 2

AECARO is currently undergoing SOC 2 Type II certification. We follow SOC 2 control framework principles for security, availability, and confidentiality. Expected completion: Q3 2026. During this period, we maintain internal controls aligned with SOC 2 requirements. Enterprise customers may request a SOC 2 readiness assessment report.

GDPR

AECARO is fully compliant with the General Data Protection Regulation (GDPR). We process data as a data processor acting on behalf of our users (data controllers). Data processing agreements (DPAs) are available on request. Data is stored in the US (primary) and EU (on request). We support data subject access requests, deletion requests, and data portability.

Data Processing Agreement

A standard DPA is incorporated into our Terms of Service for all paid accounts. Signed copies are available by contacting security@aecaro.com.

Vulnerability Disclosure Program

We take the security of our platform seriously. If you believe you have found a security vulnerability in AECARO, we encourage you to report it responsibly.

Reporting a Vulnerability

Please email details to security@aecaro.com. Do not publicly disclose the issue before we have had an opportunity to investigate and address it.

What We Promise

• Acknowledge receipt within 48 hours
• Provide an initial assessment within 5 business days
• Keep you informed of progress toward a fix
• Credit you in our security acknowledgments (with your permission)
• No legal action for good-faith research conducted under this policy

Scope

In-scope: AECARO web application (app.aecaro.com), API endpoints (api.aecaro.com), and associated subdomains. Out-of-scope: Third-party services (Stripe, Clerk, Neon), physical attacks, social engineering, denial of service, and vulnerabilities in third-party LLM providers.

Contact

For security-related inquiries, vulnerability reports, or to request a DPA: