Security

This page summarizes Apshan's security posture. The detailed Technical and Organizational Measures document and the DPA govern in case of inconsistency.

Last reviewed: May 2, 2026 · Next review: August 2, 2026

Posture

Security is the operational ground truth behind the Trust page. This page documents what Apshan does today, what is on the audited roadmap, and what is available on request.

Apshan applies industry-standard technical and organizational measures appropriate to the risk profile of the data we process, in accordance with GDPR Article 32. The list below is summary; the underlying Technical and Organizational Measures (TOMs) document is available under DPA on request.

Encryption

Apshan encrypts personal data in transit and at rest. There is no condition under which personal data is transmitted or stored unencrypted on Apshan systems.

In transit: TLS 1.3 (with TLS 1.2 fallback for legacy compatibility). HSTS preload. Modern cipher suites only.
At rest: AES-256 for data stored on Apshan-controlled infrastructure. Backups encrypted with separate keys.
Key management: Provider-managed key services with regular rotation.
Email and secrets: No personal data is transmitted unencrypted by email. Secrets are stored in a provider-managed secrets vault, never in source code or configuration files.

Access control

Apshan applies the principle of least privilege. Access to systems handling personal data is restricted, logged, and reviewed.

Multi-factor authentication: Required for all Apshan team accounts that access systems holding personal data. Customer-facing MFA available at signup; required on enterprise tiers.
Single sign-on: SSO (SAML and OIDC) available for enterprise customers, with SCIM provisioning where supported.
Role-based access: Internal access is role-bound. Role assignments are reviewed on a regular cadence and revoked promptly upon role change or departure.
Audit logs: Privileged actions on production systems are logged and retained per the Privacy policy retention schedule.

Infrastructure

Production infrastructure handling personal data runs in the European Union. Production and non-production environments are separated. Networks are segmented and externally exposed surfaces are minimized.

The named hosting provider and its data-residency profile are disclosed in the Legal notice. The list of subprocessors and the data category each processes is published at /subprocessors.

Vulnerability management

Apshan continuously monitors for vulnerabilities and patches on a defined cadence. Risk is assessed against severity, exploitability, and exposure.

Continuous scanning: Automated scanning of dependencies, container images, and externally exposed services. Critical vulnerabilities patched on an expedited timeline.
Code review: Changes to systems handling personal data are peer-reviewed before deployment. Static analysis is enforced in continuous integration.
Responsible disclosure: Security researchers may report vulnerabilities to security@apshan.com. Good-faith research that follows our responsible disclosure expectations will not be treated as a violation of the Acceptable Use Policy.

Customer data handling

Customer Data is encrypted, isolated by tenant, and processed solely to deliver the Service. Apshan does not use Customer Data to train AI models, does not sell Customer Data, and does not use it for advertising profiling.

Customer queries are kept inside your session. Retention and deletion are documented per data category in the Privacy policy. Data subject access requests are handled per the process documented at /data-requests.

Incident response

Apshan operates a defined incident response process covering detection, containment, eradication, recovery, and post-incident review.

Authority notification: Personal-data breaches notified to the CNIL within seventy-two hours of discovery, per GDPR Article 33.
Customer notification: Affected customers and data subjects informed without undue delay where the breach is likely to result in a high risk to their rights and freedoms, per GDPR Article 34.
Evidence preservation: Logs and artifacts relevant to the incident preserved for investigation and regulatory cooperation.
Post-incident review: Each significant incident is followed by a written review documenting root cause, remediation, and preventive actions.

Compliance roadmap

Apshan is honest about its current compliance state. Below is what is in place today and what is on the audited roadmap.

GDPR and Loi Informatique et Libertés: In effect today. Documented in the Privacy policy and the DPA.
EU AI Act (Limited Risk): Posture in effect today. Article 50 transparency obligations met inline at every product surface from launch.
SOC 2 Type II: On the compliance roadmap.
ISO/IEC 27001: On the compliance roadmap.
Sector certifications: Evaluated based on enterprise customer demand.

Status changes are reflected on this page within thirty days.

Documents available on request

The following are available to enterprise customers and prospects under a mutual non-disclosure agreement or signed DPA:

Data Processing Addendum (DPA), incorporating Standard Contractual Clauses for any non-EU transfer;
Technical and Organizational Measures (TOMs) document;
Records of Processing Activities (ROPA) summary;
Subprocessor change-notice subscription;
Penetration test executive summary (after the first audit).

Request access through your account manager or write to security@apshan.com.

Where to learn more

Trust: The compliance posture narrative: /trust.
Privacy: Data flows, retention, and your rights: /privacy.
Subprocessors: Named third parties that process data on our behalf: /subprocessors.
Data requests: DSAR submission process: /data-requests.
Acceptable use: Conduct rules, including responsible-disclosure expectations: /aup.

Contact

security@apshan.com
Apshan, 6 Rue d'Armaillé, 75017 Paris, France.