Security

We take the security of your data seriously. Here's how we protect your analytics data and maintain the integrity of our platform.

Infrastructure

AreaTech runs on Amazon Web Services (AWS) with infrastructure deployed across multiple availability zones for high availability. Our production environment uses:

• Compute: Auto-scaling ECS Fargate clusters with no shared tenancy
• Storage: Encrypted RDS (PostgreSQL) and S3 with AES-256 at rest
• Networking: Private VPCs with NACLs, security groups, and WAF protection
• CDN: CloudFront with DDoS mitigation via AWS Shield

Encryption

All data is encrypted both in transit and at rest:

• In transit: TLS 1.3 for all API and dashboard connections. We enforce HSTS and score A+ on SSL Labs.
• At rest: AES-256 encryption for all stored data using AWS KMS-managed keys with automatic key rotation.
• API keys: Hashed with bcrypt before storage. Only displayed once at creation time.

Authentication & Access Control

• Multi-factor authentication (MFA) available for all accounts
• SSO via SAML 2.0 and OIDC (Enterprise plan)
• Role-based access control (RBAC) with Owner, Admin, Member, and Viewer roles
• API keys scoped per-project with configurable permissions
• Session timeout and concurrent session limits

Data Isolation

Customer data is logically isolated at the database level. Each project's data is partitioned and cannot be accessed by other customers. Our engineering team accesses production data only through audited, time-limited sessions with business justification.

Compliance & Certifications

• SOC 2 Type II: Audit in progress, expected completion Q1 2025
• GDPR: Compliant. DPA available for EU customers on request.
• CCPA: Compliant. We do not sell personal information.
• Data residency: EU data storage available for Enterprise customers

Vulnerability Management

• Automated dependency scanning via Dependabot and Snyk
• Static analysis (SAST) in CI/CD pipeline
• Annual third-party penetration testing
• Bug bounty program (launching Q1 2025)
• Patch management SLA: critical vulnerabilities remediated within 24 hours

Incident Response

We maintain a documented incident response plan with defined severity levels, escalation procedures, and communication timelines. In the event of a security incident affecting customer data, we commit to notifying affected customers within 72 hours.

Employee Security

• Background checks for all employees with production access
• Security awareness training during onboarding and quarterly refreshers
• Principle of least privilege for all internal access
• Hardware security keys required for infrastructure access

Responsible Disclosure

If you discover a security vulnerability in AreaTech, please report it responsibly to security@areatech.tech. We ask that you give us reasonable time to address the issue before public disclosure. We do not pursue legal action against researchers who act in good faith.

Questions?

For security-related questions or to request our SOC 2 report (when available), contact security@areatech.tech.