SOC 2 Type II
AION's roadmap targets SOC 2 Type II attestation against the Security, Availability and Confidentiality Trust Services Criteria. Until the formal report is issued, we publish our internal control documentation under NDA on request — access reviews, encryption settings, deployment controls and incident-response runbooks.
Data handling
Customer data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access is role-based and audited; every access event is logged and retained for at least 24 months. Production data does not flow to development environments.
- Encryption at rest and TLS in transit on all customer data paths
- Role-based access control with quarterly access reviews
- Mandatory MFA for all employees and contractors
- Vendor security reviews for any third-party that touches customer data
Breach response
AION maintains a written incident-response plan and rehearses it on a regular cadence. In the event of a confirmed breach, our policy is to notify affected customers within the timeframes required by each applicable state breach-notification law.
Privacy
We design our operations around the requirements of CCPA, CPRA, Virginia's CDPA, Colorado's CPA and other applicable state privacy laws. Our privacy policy describes the categories of personal information we collect, the purposes for which we use it, and the rights you have over it.