Security is a product requirement —
not a brochure.
One security program across Studio, Labs, Arcade, and Reads. Below: the controls we operate today and the targets we hold ourselves to. Where a control is being scaled up alongside customer demand, we say so explicitly.
This page describes Acilox's security operating model — the controls we maintain, the targets we set, and the standards we measure ourselves against. It is not a third-party attestation. For independent assurance, see /trust/compliance (SOC 2 Type II in progress, ISO 27001 planned). Enterprise customers can request the full security questionnaire and current evidence pack via security@acilox.com.
Governed, measured, and reviewed.
Governance
Our Chief Information Security Officer owns the information security program — risk register, vendor reviews, policy updates, and customer diligence. Engineering and legal partner on controls that touch product architecture and contracts.
Assurance in progress
We are working toward SOC 2 Type II and ISO 27001 alignment — see Compliance for current status. Nothing on this page implies a certification we have not published yet.
In transit and at rest.
- In transit: TLS 1.2+ for customer-facing services; modern cipher suites; HSTS where applicable.
- At rest: AES-256 (or provider-equivalent) for persisted data in managed storage tiers.
Identity and access.
- Enterprise: SSO/SAML on Enterprise plans where offered for Labs products.
- MFA: Available for supported accounts; we recommend enabling it organization-wide.
- Password policy: Reasonable minimums, breach checks where supported, and lockouts aligned to abuse prevention.
How we build and ship software.
- SDLC controls — design review for sensitive changes, threat modeling where appropriate
- Code review on meaningful changes; protected default branches
- Dependency scanning and patch management with SLAs by severity
- Vulnerability management — intake via coordinated disclosure; see /legal/security-disclosure
Cloud providers and segmentation.
Production workloads run on cloud infrastructure providers listed in the sub-processor register, with least-privilege access, network controls, and environment separation appropriate to each product surface. Hyperscaler tenancy (AWS / Google Cloud) is added to that register as Labs products move from beta to general availability.
Detection and auditability.
Centralized logging, metrics, and alerting back our on-call rotation. Access to logs is restricted and reviewed; retention varies by system and legal obligations — your order form or DPA describes what applies to your account.
When something breaks.
We maintain a 24/7 on-call rotation for production systems. Incidents are triaged by severity; customers affected by a material event receive timely communication. We publish post-mortems internally and share externally when customer impact warrants it.
Targets — not guarantees.
We target RTO 4 hours and RPO 1 hour for core production services. Targets describe our design intent; actual recovery depends on incident type — your enterprise agreement may include service-specific commitments.
Third-party validation.
We run annual third-party penetration testing against material internet-facing surfaces. Findings are tracked to remediation with severity-based SLAs.
People and devices.
We conduct background checks where permitted by law, require security training for engineers, and enforce device hardening policies for roles with elevated access. Access is revoked promptly on role change or offboarding.
Questions for your security team?
Send questionnaires, architecture reviews, and urgent concerns to security@acilox.com. We coordinate with product and legal so you get accurate answers — not generic deflection.