Technical and Organizational Security Measures
Technical and organizational measures to ensure the security of the data
Description of the technical and organizational security measures implemented by the Processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
Technical and Organizational Security Measure | Descriptions |
Measures of pseudonymisation and encryption of Personal Data | Aerospike applies pseudonymisation where feasible and encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3) and at rest (AES-128 or equivalent). Further, data transmitted between nodes is also encrypted using TLS. Keys are managed in a centralized KMS and role separation. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Aerospike ensures ongoing confidentiality, integrity, availability and resilience through risk-based Information Security Management Systems (ISMS) and controls including role-based access controls (RBAC), Multi-factor authentication (MFA), least-privilege, security information and event management (SIEM) monitoring, vulnerability/patch management, penetration testing, a secure software development life cycle (SDLC), encrypted backups with periodic restore testing, defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets, and independent third party audits. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Aerospike maintains a Business Continuity and Disaster Recovery (“BCDR”) Plan aligned to ISO/IEC 27001 that defines roles and responsibilities and escalation paths for incidents that affect availability. Aerospike maintains an Incident Response Policy that aligns to ISO/IEC 27001 that covers detection, classification, containment, recovery, evidence preservation and post incident analysis. Incidents are tracked with root-cause and remediation details, and affected customers are notified in a timely manner. BCDR and Incident Response Policy are reviewed and tested on an annual basis. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Aerospike maintains a Vulnerability Management Program aligned with ISO/IEC 27001. The program includes continuous and scheduled vulnerability scanning of infrastructure and application components, risk-based vulnerability evaluation and prioritization, tracked remediation and change control, and verification of fixes. Aerospike utilizes trusted third-party tool(s) for static/dynamic and dependency scanning and applies patches or mitigation based on severity. Aerospike also conducts third party independent assurance activities, including SOC 2 Type II and ISO audits and periodic penetration tests, to assess the effectiveness of technical and organisational measures |
Measures for user identification, authorization, and event logging | Aerospike enforces user identification, authorization, and event logging through an ISO/IEC 27001-aligned Access Control Policy and Operations Security Policy. Users are provisioned and deprovisioned via documented onboarding/offboarding processes; access is granted on a least-privilege, RBAC and privileged access is restricted to authorized personnel on an as-needed basis. Strong authentication (MFA) is required for all Aerospike user accounts and remote access. Authentication, authorization and privileged-activity events are recorded, protected and retained for review and audit; alerting and review processes feed documented incident-response workflows for timely investigation and remediation. Periodic access reviews are performed and evidence of approvals, revocations and relevant session logs are retained to support audits and investigations. |
Measures for the protection of data during transmission | Aerospike encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3). Further, data transmitted between nodes is also encrypted using TLS. |
Measures for the protection of data during storage | Aerospike encrypts all Customer Data at rest using industry-standard algorithms (AES-128 or equivalent). |
Measures for ensuring physical security of locations at which personal data are processed | Aerospike uses Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure that maintains industry-leading physical security controls to protect data centers where data is processed. These controls include but not limited to: Restricted access: Data centers are located in secure facilities with strictly limited physical access granted only to authorized personnel. 24/7 monitoring: Facilities are continuously monitored through video surveillance, intrusion detection systems, and on-site security staff. Multi-factor authentication: Physical access requires multiple layers of authentication such as biometric scans, security badges, and PINs. Environmental controls: Data centers employ fire detection and suppression systems, redundant power supplies, and climate controls to ensure data integrity and availability. Independent audits and certifications: All three providers hold recognized certifications such as ISO 27001, SOC 1/2/3, and compliance with standards including GDPR and CSA STAR, confirming adherence to rigorous physical and operational security standards.
|
Measures for ensuring system configuration, including default configuration | System configurations are managed through formally defined configuration management procedures to ensure that all systems are securely and consistently configured prior to deployment and throughout their lifecycle. Default configurations are reviewed and hardened in accordance with organizational security baselines and industry best practices before systems are placed into production. Unnecessary services, accounts, and ports are disabled or removed to reduce potential attack surfaces. Configuration standards are maintained in a centralized repository, and any changes to configurations follow the organization’s formal change management process, including review, approval, and documentation. Regular automated scans and periodic manual reviews are performed to verify that configurations remain compliant with approved security baselines. Deviations or unauthorized changes are detected through continuous monitoring and promptly remediated. |
Measures for internal IT and IT security governance and management | Aerospike maintains an Information Security Program aligned to ISO/IEC 27001. The Information Security Steering Committee (ISSC) governs the program; responsibilities, authorities and accountabilities are documented and measurable metrics are produced and reported to the ISSC and senior management. The program includes a policy lifecycle (creation, review and approval), a documented risk-management process and risk register, and measurable security metrics that are reported to ISSC and senior management. Key policies include Access Control, Operations Security, Incident Response, Vulnerability Management, Business Continuity & Disaster Recovery, Vendor Management and Data Protection, Change Management, and Patch Management. Assurance activities include periodic internal audits, control testing, and tracked remediation of findings. Pre-employment screening is performed in accordance with local law and role-based security training is provided during onboarding and at least annually. Policies, roles, metrics and remediation status are reviewed regularly and reported to ISSC and senior management. |
Measures for certification/assurance of processes and products | Aerospike maintains independent assurance through its ISO 27001 certification and SOC 2 Type II attestation. Copies of the certification and report are available to customers under NDA. Aerospike conducts regular internal audits and tracks all identified findings through a formal remediation process. |
Measures for ensuring data minimisation | Aerospike collects only the data necessary to deliver its products and services to our users. |
Measures for ensuring data quality | Aerospike implements controls to ensure the accuracy, completeness, and reliability of data throughout its lifecycle. Data quality is maintained through defined data handling procedures, access controls, and validation mechanisms. Reviews and checks help identify and correct inaccuracies. Additionally, change management and monitoring processes ensure that data integrity is preserved across systems and environments. |
Measures for allowing data portability, retention, and ensuring erasure | Customers have the ability to read, export or extract their data stored in the database at any time without restriction for purposes of data portability and retention outside the service. Aerospike implements backup retention policies and deletes backups at end-of-retention; upon subscription termination access to the cloud-hosted database ceases and data deletion/return procedures are followed per the agreement.. |
Technical and organizational measures of sub-processors | Aerospike maintains a Vendor Management Policy that requires due diligence, security questionnaire, contract clauses imposing security obligations, and at least annual review of critical vendors and sub-processors. Aerospike maintains the current sub processors list, and will notify customers of material changes per the DPA. |
Technical and Organizational Security Measures
Technical and organizational measures to ensure the security of the data
Description of the technical and organizational security measures implemented by the Processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
Technical and Organizational Security Measure | Descriptions |
Measures of pseudonymisation and encryption of Personal Data | Aerospike applies pseudonymisation where feasible and encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3) and at rest (AES-128 or equivalent). Further, data transmitted between nodes is also encrypted using TLS. Keys are managed in a centralized KMS and role separation. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Aerospike ensures ongoing confidentiality, integrity, availability and resilience through risk-based Information Security Management Systems (ISMS) and controls including role-based access controls (RBAC), Multi-factor authentication (MFA), least-privilege, security information and event management (SIEM) monitoring, vulnerability/patch management, penetration testing, a secure software development life cycle (SDLC), encrypted backups with periodic restore testing, defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets, and independent third party audits. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Aerospike maintains a Business Continuity and Disaster Recovery (“BCDR”) Plan aligned to ISO/IEC 27001 that defines roles and responsibilities and escalation paths for incidents that affect availability. Aerospike maintains an Incident Response Policy that aligns to ISO/IEC 27001 that covers detection, classification, containment, recovery, evidence preservation and post incident analysis. Incidents are tracked with root-cause and remediation details, and affected customers are notified in a timely manner. BCDR and Incident Response Policy are reviewed and tested on an annual basis. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Aerospike maintains a Vulnerability Management Program aligned with ISO/IEC 27001. The program includes continuous and scheduled vulnerability scanning of infrastructure and application components, risk-based vulnerability evaluation and prioritization, tracked remediation and change control, and verification of fixes. Aerospike utilizes trusted third-party tool(s) for static/dynamic and dependency scanning and applies patches or mitigation based on severity. Aerospike also conducts third party independent assurance activities, including SOC 2 Type II and ISO audits and periodic penetration tests, to assess the effectiveness of technical and organisational measures |
Measures for user identification, authorization, and event logging | Aerospike enforces user identification, authorization, and event logging through an ISO/IEC 27001-aligned Access Control Policy and Operations Security Policy. Users are provisioned and deprovisioned via documented onboarding/offboarding processes; access is granted on a least-privilege, RBAC and privileged access is restricted to authorized personnel on an as-needed basis. Strong authentication (MFA) is required for all Aerospike user accounts and remote access. Authentication, authorization and privileged-activity events are recorded, protected and retained for review and audit; alerting and review processes feed documented incident-response workflows for timely investigation and remediation. Periodic access reviews are performed and evidence of approvals, revocations and relevant session logs are retained to support audits and investigations. |
Measures for the protection of data during transmission | Aerospike encrypts data in transit by Transport Layer Security (TLS 1.2+/1.3). Further, data transmitted between nodes is also encrypted using TLS. |
Measures for the protection of data during storage | Aerospike encrypts all Customer Data at rest using industry-standard algorithms (AES-128 or equivalent). |
Measures for ensuring physical security of locations at which personal data are processed | Aerospike uses Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure that maintains industry-leading physical security controls to protect data centers where data is processed. These controls include but not limited to: Restricted access: Data centers are located in secure facilities with strictly limited physical access granted only to authorized personnel. 24/7 monitoring: Facilities are continuously monitored through video surveillance, intrusion detection systems, and on-site security staff. Multi-factor authentication: Physical access requires multiple layers of authentication such as biometric scans, security badges, and PINs. Environmental controls: Data centers employ fire detection and suppression systems, redundant power supplies, and climate controls to ensure data integrity and availability. Independent audits and certifications: All three providers hold recognized certifications such as ISO 27001, SOC 1/2/3, and compliance with standards including GDPR and CSA STAR, confirming adherence to rigorous physical and operational security standards.
|
Measures for ensuring system configuration, including default configuration | System configurations are managed through formally defined configuration management procedures to ensure that all systems are securely and consistently configured prior to deployment and throughout their lifecycle. Default configurations are reviewed and hardened in accordance with organizational security baselines and industry best practices before systems are placed into production. Unnecessary services, accounts, and ports are disabled or removed to reduce potential attack surfaces. Configuration standards are maintained in a centralized repository, and any changes to configurations follow the organization’s formal change management process, including review, approval, and documentation. Regular automated scans and periodic manual reviews are performed to verify that configurations remain compliant with approved security baselines. Deviations or unauthorized changes are detected through continuous monitoring and promptly remediated. |
Measures for internal IT and IT security governance and management | Aerospike maintains an Information Security Program aligned to ISO/IEC 27001. The Information Security Steering Committee (ISSC) governs the program; responsibilities, authorities and accountabilities are documented and measurable metrics are produced and reported to the ISSC and senior management. The program includes a policy lifecycle (creation, review and approval), a documented risk-management process and risk register, and measurable security metrics that are reported to ISSC and senior management. Key policies include Access Control, Operations Security, Incident Response, Vulnerability Management, Business Continuity & Disaster Recovery, Vendor Management and Data Protection, Change Management, and Patch Management. Assurance activities include periodic internal audits, control testing, and tracked remediation of findings. Pre-employment screening is performed in accordance with local law and role-based security training is provided during onboarding and at least annually. Policies, roles, metrics and remediation status are reviewed regularly and reported to ISSC and senior management. |
Measures for certification/assurance of processes and products | Aerospike maintains independent assurance through its ISO 27001 certification and SOC 2 Type II attestation. Copies of the certification and report are available to customers under NDA. Aerospike conducts regular internal audits and tracks all identified findings through a formal remediation process. |
Measures for ensuring data minimisation | Aerospike collects only the data necessary to deliver its products and services to our users. |
Measures for ensuring data quality | Aerospike implements controls to ensure the accuracy, completeness, and reliability of data throughout its lifecycle. Data quality is maintained through defined data handling procedures, access controls, and validation mechanisms. Reviews and checks help identify and correct inaccuracies. Additionally, change management and monitoring processes ensure that data integrity is preserved across systems and environments. |
Measures for allowing data portability, retention, and ensuring erasure | Customers have the ability to read, export or extract their data stored in the database at any time without restriction for purposes of data portability and retention outside the service. Aerospike implements backup retention policies and deletes backups at end-of-retention; upon subscription termination access to the cloud-hosted database ceases and data deletion/return procedures are followed per the agreement.. |
Technical and organizational measures of sub-processors | Aerospike maintains a Vendor Management Policy that requires due diligence, security questionnaire, contract clauses imposing security obligations, and at least annual review of critical vendors and sub-processors. Aerospike maintains the current sub processors list, and will notify customers of material changes per the DPA. |