Aplii – Security

1

Data Residency

All data stored and processed in AWS US region.

2

Full Encryption (SSL/TLS)

All data transferred within Aplii's architecture - including communication with CRM/ERP systems and all internal service calls - is encrypted via TLS 1.2+ end-to-end.

There is no plaintext transmission at any stage.

3

Token Encryption

Aplii does not store or encrypt full customer datasets. The only sensitive information stored is OAuth tokens.

Tokens are encrypted using an internal encryption key (AES-based), managed and rotated by Aplii. Decryption is possible only within the Lambda execution environment during runtime.

Tokens are never exposed externally
No API endpoint exists to retrieve them
No local copies are kept

4

JWT User Authentication

Aplii uses secure JWT tokens for user sessions:

JWTs contain only minimal identification information (no sensitive personal data)
Tokens are digitally signed and validated on every request
Session management follows industry best practices

5

Scoped Access

Aplii requests only the permissions required for the specific operation the user initiates:

Most workflows use read-only permissions
In some integrations optional write scopes may exist, but Aplii does not perform write operations as part of its integration design
Principle of least privilege is enforced throughout the platform

6

No Raw Dataset Storage

Aplii does not store raw customer integration datasets:

Only minimal processed outputs are retained - such as aggregated metrics, insights, and dashboards necessary for the service to function. In some cases, this may include small, derived portions of data strictly limited to what is required for generating those outputs.
We strictly follow data-minimization principles, storing only what is required for analytics and never keeping full raw records.

7

Claude/GPT API (SOC 2 Compliant)

Aplii uses the Claude API (Anthropic) and GPT (OpenAI), which is SOC 2 Type II compliant.

Only minimal aggregated data is sent - never raw customer integration datasets or sensitive customer information.

8

Environment Isolation

Each organization's data is fully isolated logically:

No cross-tenant access is possible.

9

Customer-Controlled Access

Customers maintain complete control over their data access:

Customers can revoke Aplii's access at any time using the native OAuth permissions management in their CRM/ERP systems
No vendor lock-in or complex disconnection procedures
Immediate access revocation takes effect across all systems

10

SOC 2 Roadmap

Aplii follows industry best practices such as encryption in transit, key-based token protection, scoped access, and data minimization.

We are expanding our internal controls around logging, monitoring, and permission management as part of our planned SOC 2 Type II compliance roadmap.

SOC 2 Type II included in security roadmap