Security & Compliance
Data Processing Roles
Under GDPR:
- You (the customer) are the Data Controller — you determine what data is processed and for what purpose
- Aito (Episto Oy) is the Data Processor — we process data only as instructed by you
We process only the data you explicitly send to your Aito instance. We do not access, analyze, or use your data for any purpose other than providing the service.
Data Location & Hosting
All Aito infrastructure is hosted in the EU (Ireland, eu-west-1) on Amazon Web Services (AWS).
| Component | Location | Provider |
|---|---|---|
| Application hosting | EU | Heroku (EU region) |
| Database (PostgreSQL) | EU (Ireland) | AWS RDS |
| Object storage | EU (Ireland) | AWS S3 |
| Authentication | EU | Auth0 |
| Payment processing | EU | Stripe |
Tenant Isolation
Each Aito instance operates in isolation:
- Dedicated compute resources for Dev and Production plans
- Sandbox plans share infrastructure but data is logically separated
- No cross-tenant data access — your data is never accessible to other customers
Authentication & Access Control
- API key authentication for all API access
- Multiple API keys supported per instance
- Key rotation available at any time through the console
- No shared credentials — each customer manages their own keys
Encryption
- In transit: All API communication uses TLS 1.2+
- At rest: AWS-managed encryption for RDS and S3 storage
Data Retention
| Data Type | Retention Period |
|---|---|
| Trial instance data | 7 days after trial ends |
| API request logs | 60 days |
| Authentication logs | 30 days |
| Database backups | 7 days (production) |
Subprocessors
Aito uses the following third-party services to provide the platform:
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (EC2, S3, RDS, CloudWatch, API Gateway, SQS, Lambda) | EU (Ireland) |
| Auth0 | Authentication & identity management | EU |
| Stripe | Payment processing | EU |
| Heroku | Application hosting | EU |
| Papertrail | Log aggregation (operational logs only, no customer data) | US |
Certifications
Aito does not currently hold SOC 2 or ISO 27001 certifications. We implement industry-standard security practices and are happy to discuss our security posture in detail for enterprise evaluations.
GDPR Rights
You retain full control over your data:
- Access: Export your data at any time via the API
- Deletion: Delete individual records or entire instances through the console
- Portability: Standard JSON format for all data export
Questions?
For security questionnaires or detailed compliance discussions, please contact us.
Address
Episto Oy
Putouskuja 6 a 2
01600 Vantaa
Finland
VAT ID FI34337429
