1. Security Governance
1.1 Information Security Programme
AAQUILIX maintains a formal Information Security Management System (ISMS) aligned to ISO/IEC 27001:2022. Our security programme is overseen by a designated Information Security Officer (ISO) and reviewed quarterly by executive leadership.
1.2 Policies and Standards
Our security policies — including acceptable use, access control, incident response, vendor management, and business continuity — are reviewed annually and after any material security event. All employees and contractors must acknowledge and comply with these policies.
1.3 Compliance Posture
- Information Security Management — Framework-aligned controls with certification work planned
- Audit readiness — Trust-control evidence workflows for Security, Availability, and Confidentiality
- GDPR / UK GDPR — Data processing and privacy controls
- India DPDPA 2023 — Digital Personal Data Protection Act compliance
- PCI DSS — Card data is processed solely by PCI-compliant processors (Stripe, Razorpay). AAQUILIX does not store, transmit, or process raw card data.
2. Data Architecture and Sovereignty
The AAQUILIX Platform is built on a client-local AI architecture:
- The AI brain, GoalSet engine, and all automation agents run inside the customer's network
- Infrastructure telemetry, configuration data, and runbook content are never transmitted to or stored on AAQUILIX infrastructure
- The AAQUILIX SaaS layer handles only account management, licensing, audit log summaries, and anonymised platform health metrics
- This architecture eliminates central data store breach risk for customer infrastructure data
3. Encryption
In Transit
- All data transmitted between clients and www.aaquilix.com is encrypted using TLS 1.3 (minimum TLS 1.2)
- HTTP Strict Transport Security (HSTS) with a one-year max-age is enforced
- All API communications between AAQUILIX agents and the customer's local AAQUILIX server use mTLS with customer-generated certificates
At Rest
- All data stored in AAQUILIX-controlled databases is encrypted at rest using AES-256
- Database encryption keys are managed via a dedicated key management service with quarterly rotation
- Backups are encrypted using the same standard
4. Access Control
- Principle of least privilege: All internal access to production systems is restricted to the minimum required for job function
- Multi-factor authentication (MFA): Mandatory for all AAQUILIX employees accessing production systems, admin consoles, and cloud provider consoles
- Privileged access management (PAM): Privileged access is time-limited, session-recorded, and requires dual-approval for sensitive operations
- Role-based access control (RBAC): Customer tenant access is governed by RBAC; tenant isolation is enforced at the database layer
- Access reviews: Quarterly reviews of all production system access rights; immediate revocation upon employee offboarding
- Zero-trust networking: Internal services do not assume implicit trust based on network location; all service-to-service communication is authenticated
5. Network Security
- Production infrastructure is hosted in private VPCs with no direct public internet access
- Web Application Firewall (WAF) with OWASP Top 10 rule sets applied to all public endpoints
- DDoS protection at the network and application layers
- Network segmentation between public, application, and database tiers
- Outbound traffic from production filtered through egress inspection
- Intrusion detection and prevention systems (IDS/IPS) on production networks
6. Vulnerability Management
- Dependency scanning: All application dependencies are scanned for known CVEs on every build using automated SAST/DAST tooling
- Penetration testing: Annual external penetration tests by an independent qualified firm; critical findings remediated within 14 days
- Patch management: OS and middleware security patches applied within 72 hours of critical/high CVE disclosure; standard patches within 30 days
- Container security: Base images scanned and rebuilt monthly; no root-privilege containers in production
- Bug bounty: Responsible disclosure programme — security researchers may report vulnerabilities to support@aaquilix.com
7. Security Monitoring and Logging
- Centralised SIEM with 24×7 alerting on anomalous patterns, failed authentication, privilege escalation, and data exfiltration indicators
- All administrative actions on production systems are logged with user identity, timestamp, and action detail
- Logs are immutable, encrypted, and retained for a minimum of 2 years
- Security alerts are triaged by on-call engineers within 15 minutes for critical alerts, 2 hours for high
- Customer-facing audit logs for all AAQUILIX agent actions are available within each tenant dashboard
8. Incident Response
8.1 Response Process
AAQUILIX maintains a documented Incident Response Plan (IRP) covering: detection, classification, containment, eradication, recovery, and post-incident review. The IRP is tested via tabletop exercises at least annually.
8.2 Classification
| Severity | Definition | Response SLA |
|---|---|---|
| Critical (P1) | Active breach, data exfiltration, platform outage affecting all customers | 15 minutes acknowledge, 1 hour response |
| High (P2) | Potential breach, significant vulnerability exploited, single-customer impact | 1 hour acknowledge, 4 hours response |
| Medium (P3) | Security anomaly under investigation, minor availability impact | 4 hours acknowledge, 24 hours response |
| Low (P4) | Non-impacting security observation, policy violation, failed intrusion attempt | 24 hours acknowledge, 72 hours response |
8.3 Customer Notification
In the event of a confirmed personal data breach affecting customer data, AAQUILIX will notify affected enterprise customers within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 requirements. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
Customers should report suspected security incidents to: support@aaquilix.com
9. Employee Security
- Background verification checks for all new employees and contractors with access to production systems
- Mandatory security awareness training on hire and annually thereafter
- Phishing simulation exercises run quarterly
- Confidentiality and data handling clauses in all employment contracts
- Immediate access revocation upon employee offboarding via automated identity lifecycle management
10. Physical Security
AAQUILIX offices are secured with badge access control, CCTV coverage, and visitor management. Production infrastructure is hosted exclusively in third-party audited cloud data centres. AAQUILIX does not operate its own data centres. Cloud providers maintain physical security controls including biometric access, 24×7 guards, and environmental monitoring.
11. Business Continuity and Disaster Recovery
- Recovery Time Objective (RTO): 4 hours for critical Platform services
- Recovery Point Objective (RPO): 1 hour for all platform data
- Automated database backups every hour; full daily backups retained for 30 days
- Multi-region failover capability for the AAQUILIX SaaS layer
- DR exercises conducted at least semi-annually
- Business Continuity Plan (BCP) reviewed annually
12. Third-Party and Vendor Security
All vendors with access to AAQUILIX systems or customer data undergo security assessment prior to onboarding. Vendor security is reviewed annually. Contracts with vendors include data processing obligations, security requirements, and audit rights. A list of sub-processors is maintained in our Data Processing Agreement.
13. Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it confidentially to support@aaquilix.com. Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate. We commit to acknowledging valid reports within 48 hours and providing updates on remediation progress.
14. Contact
Security concerns and vulnerability reports: support@aaquilix.com
General enquiries: sales@aaquilix.com
AAQUILIX, Bangalore, Karnataka 560001, India