Security

Security is foundational to Adroyt. We build every layer of the platform with security-first principles — from data encryption to infrastructure hardening to access controls. This page describes our security posture and how we protect your data.

At Rest

All data stored on Adroyt servers is encrypted using AES-256. Database backups are encrypted using the same standard.

In Transit

All data transmitted between your browser and Adroyt is protected with TLS 1.3. We enforce HSTS and HTTPS across all endpoints.

• Hosted on SOC 2 Type II certified cloud infrastructure
• Network segmentation and private subnets for databases
• Web Application Firewall (WAF) protecting all endpoints
• DDoS mitigation at the network edge
• Automated vulnerability scanning of all container images
• Regular penetration testing by third-party security firms

We follow least-privilege principles throughout:

• Role-based access control (RBAC) at the application and infrastructure level
• Multi-factor authentication required for all internal Adroyt employees
• SSH access via short-lived certificates only
• All production access is logged and audited
• Tenant data is strictly isolated — no cross-tenant data access

• SOC 2 Type II (available on request under NDA)
• GDPR compliant — DPA available at adroyt.io/dpa
• CCPA compliant
• ISO 27001 alignment (certification in progress)

We operate a responsible disclosure programme. If you discover a security vulnerability, please report it to [email protected]. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours. We do not pursue legal action against good-faith researchers.

Security questions and vulnerability reports: [email protected]