Security

Last updated: February 20, 2026

Security is a core part of how APTCI is built — not an afterthought. This page explains the technical and organizational measures we use to protect your documents and data.

AES-256 at rest
TLS 1.2+ in transit
AWS infrastructure
Row-Level Security
SOC 2 (via Supabase)
GDPR compliant

1. Infrastructure

APTCI is hosted on Vercel (application layer) and Supabase (database, file storage, authentication). Supabase runs on Amazon Web Services (AWS), currently in the eu-central-1 (Frankfurt) region.

All infrastructure is managed by providers with enterprise-grade security certifications. Neither we nor any third party has unstructured access to the raw storage layer — all access goes through authenticated API calls with Row-Level Security enforced at the database level.

LayerProviderRegion
Application hostingVercel (Edge Network)Global CDN
Database (Postgres)Supabase / AWSeu-central-1 (Frankfurt)
File storageSupabase Storage / AWS S3eu-central-1 (Frankfurt)
AuthenticationSupabase Autheu-central-1 (Frankfurt)
AI processingAnthropic APIUS (inference only, not stored)
EmailResendEU

2. Encryption

  • At rest: All database records and uploaded files are encrypted at rest using AES-256. Encryption is managed by AWS/Supabase at the storage layer.
  • In transit: All communication between the browser, application, and database uses TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
  • Passwords: User passwords are never stored in plain text. Supabase Auth uses bcrypt hashing with a strong cost factor. We never have access to your password.
  • API keys: Internal API keys (Stripe, Anthropic, etc.) are stored as server-side environment variables and never exposed to the client or included in source code.

3. Access Controls

  • Row-Level Security (RLS): Every table in the database has RLS policies enforced at the Postgres level. A user can only read or write their own data — even if they bypass the application layer, the database itself will reject unauthorized queries.
  • Organization isolation: Data belonging to one organization is fully isolated from other organizations. Organization members can only access projects and documents within their org.
  • Service role: Server-side background jobs (AI processing, webhooks) use a service role key that bypasses RLS only for specific administrative operations. This key is never exposed to the client.
  • Storage buckets: Uploaded files are stored in access-controlled private buckets. Files require a signed URL tied to the authenticated user session to be accessed.

4. AI Providers & Data Processing

When you upload a document and trigger AI analysis, the extracted text is sent to Anthropic (Claude) for processing. We do not send raw files — only plain text. The following applies:

  • Anthropic does not use API data to train their models (confirmed in their API usage policy).
  • OpenAI (used as a fallback for embeddings) has the same no-training policy for API data.
  • Document text is sent only in the context of the specific AI request and is not cached or stored by the AI provider.
  • AI providers are contractually bound to process data only as instructed.

5. Compliance & Certifications

StandardStatusNotes
GDPR✓ CompliantData stored in EU (Frankfurt). DPA available on request.
SOC 2 Type II✓ via SupabaseOur infrastructure provider is SOC 2 certified. APTCI itself is pursuing certification.
ISO 27001In progressSupabase is ISO 27001 certified. APTCI-level certification planned.
HIPAANot certifiedAPTCI is not designed for healthcare data.

6. Incident Response

  • In the event of a confirmed data breach, affected users will be notified within 72 hours in accordance with GDPR Article 33.
  • Security incidents are logged, investigated, and remediated with root cause analysis.
  • Critical security vulnerabilities are patched on a priority basis, typically within 24 hours of confirmation.

7. Responsible Disclosure

If you discover a security vulnerability in APTCI, please report it responsibly to security@aptci.app. We ask that you give us reasonable time to investigate and address the issue before any public disclosure. We do not pursue legal action against researchers who report vulnerabilities in good faith.

8. Enterprise Inquiries

For Enterprise customers requiring a signed DPA, custom security review, penetration test results, or SSO configuration, please contact security@aptci.app. We respond to Enterprise security inquiries within 2 business days.