| title | Data Privacy & Compliance |
|---|---|
| description | Understand how AetherFlow handles data privacy, security, and regulatory compliance |
AetherFlow is committed to protecting your data privacy and ensuring compliance with global regulations.
We implement industry-leading security measures and maintain compliance with major privacy regulations.Understand what data we collect and how it's used to power AetherFlow services.
- Email address and basic profile information - Authentication credentials (encrypted and salted) - Billing and payment information (PCI DSS compliant) - Usage metrics and feature adoption data - Workflow configurations and natural language prompts - Integration credentials and connection settings - Execution logs and performance metrics - Error reports and debugging information - OAuth tokens and API credentials (encrypted at rest) - Integration-specific configuration data - Connection status and health metricsMultiple layers of encryption protect your data throughout its lifecycle.
AES-256 encryption for all stored data using envelope encryption. TLS 1.3 encryption for all data transmission with perfect forward secrecy. Additional encryption for sensitive fields like API keys and tokens. - **Database Encryption**: Transparent Data Encryption (TDE) with AES-256 - **File Storage**: Server-side encryption with customer-managed keys (Enterprise) - **Backup Encryption**: All backups encrypted with unique keys - **Key Management**: Hardware Security Modules (HSMs) for key storage and rotationClear policies govern how long different types of data are retained.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Until account deletion | Service provision and compliance |
| Workflow Logs | 90 days (7 years for Enterprise) | Debugging and analytics |
| Execution Data | 30 days (customizable for Enterprise) | Performance monitoring |
| Audit Logs | 7 years | Regulatory compliance |
| Backup Data | 30 days after deletion | Recovery purposes |
AetherFlow is fully compliant with the General Data Protection Regulation (GDPR).
As a GDPR-compliant service, we help you meet your data protection obligations.We support all GDPR data subject rights:
Request a copy of all personal data we hold about you. Correct inaccurate or incomplete personal data. Request deletion of your personal data ("right to be forgotten"). Limit processing of your personal data in certain circumstances. Receive your data in a structured, machine-readable format. Object to processing based on legitimate interests or direct marketing. - Data minimization principles applied to all features - Privacy impact assessments for new functionality - Automated data classification and labeling - Regular privacy audits and compliance reviews Available for Enterprise customers, our DPA includes: - Detailed data processing descriptions - Security measures and safeguards - Subprocessor lists and approval processes - Breach notification procedures - Audit rights and compliance certificationsCompliance with the California Consumer Privacy Act for California residents.
- **Right to Know**: What personal information we collect and how it's used - **Right to Delete**: Request deletion of personal information - **Right to Opt-Out**: Opt-out of sale of personal information - **Right to Non-Discrimination**: No different treatment for exercising rights - No sale of personal information to third parties - Clear privacy notices with CCPA-specific disclosures - Dedicated CCPA request processing portal - Annual privacy reports for California residentsType II SOC 2 compliance demonstrating our security and privacy controls.
- **Security**: Protection against unauthorized access and data breaches - **Availability**: System availability and resilience - **Processing Integrity**: Accuracy and completeness of data processing - **Confidentiality**: Protection of confidential information - **Privacy**: Appropriate collection, use, and disclosure of personal information - Access controls and multi-factor authentication - Regular security assessments and penetration testing - Incident response and breach notification procedures - Change management and configuration controls - Continuous monitoring and loggingAdherence to privacy regulations in major markets worldwide.
PIPEDA compliance for Canadian personal information protection. OAIC compliance and Notifiable Data Breaches scheme. UK GDPR compliance post-Brexit. APPI compliance for personal information protection.Comprehensive security controls protect your data and systems.
- SOC 2 Type II compliant cloud infrastructure - Regular security audits and penetration testing - Automated vulnerability scanning and patching - DDoS protection and rate limiting - Role-based access control (RBAC) with least privilege - Multi-factor authentication (MFA) required - Single sign-on (SSO) integration available - Session management and automatic timeouts - 24/7 security monitoring and alerting - Automated threat detection and response - Incident response plan with defined procedures - Regular security awareness trainingUnderstand where your data is stored and processed.
- **US East (N. Virginia)**: Primary region for US customers - **EU West (Ireland)**: GDPR-compliant region for EU customers - **Asia Pacific (Singapore)**: APAC region for Asian customersEnterprise customers can choose specific regions for data residency.
- Data stored in region-specific data centers - Cross-border transfers comply with local regulations - Standard Contractual Clauses for international transfers - Binding Corporate Rules for intra-group transfersTransparency about our subprocessors and their compliance status.
- **Cloud Infrastructure**: AWS, Google Cloud, Azure (SOC 2 compliant) - **Payment Processing**: Stripe, Braintree (PCI DSS compliant) - **Analytics**: Mixpanel, Amplitude (GDPR compliant) - **Customer Support**: Zendesk, Intercom (SOC 2 compliant) All subprocessors sign data processing agreements including: - Security and confidentiality obligations - Data protection and privacy requirements - Incident notification procedures - Audit rights and compliance certificationsOur procedures for handling security incidents and data breaches.
Automated monitoring and alerting systems detect potential incidents. Security team assesses the incident scope and impact. Immediate actions taken to contain the incident and prevent spread. Systems restored and data recovered from backups if needed. Affected customers notified within required timeframes. Post-incident analysis and improvements implemented. In compliance with applicable laws: - **GDPR**: Notification within 72 hours of becoming aware of breach - **CCPA**: Notification "in the most expedient time possible" - **General**: Affected customers notified promptly with remediation stepsHow privacy considerations are built into our product development.
- Privacy impact assessments for all new features - Data minimization principles applied to data collection - Default privacy settings favor user protection - Regular privacy training for development team - Granular data sharing controls - Data export and deletion options - Privacy dashboard for users - Consent management for data processingHow to contact us regarding privacy and compliance matters.
- **Email**: privacy@aetherflow.com - **Response Time**: Within 24 hours for urgent privacy concerns - **Data Requests**: privacy-requests@aetherflow.com - **Security Reports**: security@aetherflow.com - **Privacy Policy**: Full privacy policy available at aetherflow.com/privacy - **Security Overview**: Technical security documentation - **Compliance Certificates**: SOC 2 reports and GDPR compliance documentation - **Subprocessor List**: Complete list of third-party processorsYour privacy and data security are our top priorities. We continuously work to maintain the highest standards of compliance and protection.