Trust

Security and compliance are foundational to Adroyt. We build every layer of the platform with security-first principles — encryption at rest and in transit, hardened infrastructure, least-privilege access, and continuous compliance with the standards enterprise procurement teams ask about. This page is the single source of truth for our security posture, certifications, and the way we handle data.

At Rest

All data stored on Adroyt servers is encrypted using AES-256. Database backups are encrypted using the same standard.

In Transit

All data transmitted between your browser and Adroyt is protected with TLS 1.3. We enforce HSTS and HTTPS across all endpoints.

• Hosted on SOC 2 Type II certified cloud infrastructure
• Network segmentation and private subnets for databases
• Web Application Firewall (WAF) protecting all endpoints
• DDoS mitigation at the network edge
• Automated vulnerability scanning of all container images
• Regular penetration testing by third-party security firms

We follow least-privilege principles throughout:

• Role-based access control (RBAC) at the application and infrastructure level
• Multi-factor authentication required for all internal Adroyt employees
• SSH access via short-lived certificates only
• All production access is logged and audited
• Tenant data is strictly isolated — no cross-tenant data access

SOC 2 Type II

Adroyt maintains a SOC 2 Type II report covering the Trust Service Criteria for Security, Availability, and Confidentiality. The report is available to enterprise customers under NDA. Contact [email protected] to request a copy.

GDPR

Adroyt acts as a data processor for customer personal data under the EU General Data Protection Regulation. Our commitments include lawful basis for all processing activities, Standard Contractual Clauses (SCCs) for international transfers, support for right to erasure and data portability, and 72-hour breach notification. The standalone Data Processing Agreement lives at adroyt.io/dpa.

CCPA / CPRA

Adroyt complies with the California Consumer Privacy Act and its amendments. We do not sell personal information to third parties. California residents may exercise their rights by contacting [email protected].

ISO 27001

Adroyt operates an information security management system (ISMS) aligned with ISO/IEC 27001:2022. Formal certification is currently in progress. We implement all mandatory and a majority of optional controls from Annex A.

Enterprise customers can request dedicated data residency in the EU (Ireland/Frankfurt) or US (Virginia/Oregon). Contact our sales team to discuss data residency requirements for your organisation.

Adroyt is designed to be usable by everyone, including people with visual, auditory, motor, and cognitive disabilities. Our product targets WCAG 2.1 Level AA as a baseline, with Level AAA for colour contrast in our dark theme.

Standards we conform to

• WCAG 2.1 AA — Web Content Accessibility Guidelines (W3C)
• Section 508 — US Federal accessibility requirements
• EN 301 549 — European accessibility standard

How we verify

Every dashboard release is audited against the top 20 customer-facing pages using an automated test suite that runs Axe DevTools, Lighthouse, keyboard-navigation, and focus-indicator checks. The suite is enforced on every pull request via CI.

Screen reader support

Adroyt is tested against the two most common screen-reader / browser pairings:

• NVDA with Mozilla Firefox
• VoiceOver with Apple Safari

Three critical flows — authenticated login → risks review, creating a new risk, and interacting with the AI side panel — are walked through manually each quarter.

Keyboard navigation

Every interactive element in Adroyt is reachable using only the keyboard. Tab order follows the visible reading order, focus indicators are always visible, and modals return focus to the triggering element on close. The AI side panel is fully inert when closed so it does not leak focusable children into the tab order.

Contrast

All foreground/background pairings meet WCAG AA contrast ratios (4.5:1 for body text, 3:1 for UI components and large text) in both the dark and light themes. Muted body text clears 7:1 for headroom.

Known limitations

• Gantt charts and complex data visualisations have limited screen reader support — we provide equivalent tabular data views as a fallback.
• Custom drag-and-drop interactions in the Kanban board do not currently expose a keyboard-only alternative. A keyboard DnD pattern is in the roadmap.

Reporting an accessibility issue

If you encounter an accessibility barrier, please email [email protected]. We aim to respond within two business days and, for WCAG-level failures, ship a fix in the next release cycle.

We operate a responsible disclosure programme. If you discover a security vulnerability, please report it to [email protected]. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours. We do not pursue legal action against good-faith researchers.

By topic:

• Security questions and vulnerability reports: [email protected]
• Compliance documentation, audit reports, questionnaires: [email protected]
• Privacy and data-subject requests: [email protected]
• Accessibility: [email protected]