Security Addendum
Last updated: March 23, 2026 · v1.1
This Security Addendum ("Addendum") describes the technical and organizational security measures that Aperture Technologies, Inc. ("Aperture") maintains in connection with the Service. This Addendum is incorporated by reference into the Terms of Service and any applicable Order Form between Aperture and Customer. Capitalized terms not defined herein have the meanings given in the Terms of Service.
1. Audits and Certifications
Aperture maintains a risk-based security program for the Service. Upon written request and subject to appropriate confidentiality restrictions, Aperture will provide the then-current security documentation that it is authorized to share. Certifications held by an infrastructure provider do not constitute a certification of Aperture.
2. Hosting and Data Storage
The Service is cloud-based and uses Google Cloud infrastructure and other approved subprocessors. The applicable Order Form or subprocessor notice identifies any contractually committed data location. Production Customer Data is processed within the controlled cloud environment and is not intentionally stored on employee-managed personal systems.
3. Encryption
- At rest: All Customer Data is encrypted at rest using AES 256-bit encryption or a stronger algorithm.
- In transit: All Customer Data transmitted between Customer systems and the Service is encrypted using TLS 1.2 or a stronger protocol.
- Key management: Encryption keys are managed through cloud key-management controls and are separated from the Customer Data they protect according to the Service's current architecture.
4. System and Network Security
- Production access is restricted through individually attributable identities, role-based authorization, and multi-factor authentication where supported by the relevant service.
- Credentials and secrets are managed through controlled identity, secret-management, and key-management services rather than embedded in the public application.
- Aperture uses logging, monitoring, dependency review, and vulnerability-management processes appropriate to the Service's current risk profile.
- Security testing and remediation priorities are determined by risk, exploitability, affected data, and contractual requirements. Current testing scope and remediation commitments are provided only where documented in the applicable agreement or security package.
5. Administrative Controls
- All personnel with access to Customer Data or Confidential Information are bound by written confidentiality agreements.
- Personnel access is limited according to role and business need and is removed when that need ends.
- Security and data-protection responsibilities are communicated to personnel with access to Customer Data. Any screening, training, or review cadence is governed by Aperture's then-current documented policies and applicable law.
6. Session Isolation
The Aperture platform is designed to enforce per-pipeline session isolation through session-scoped data boundaries, application authorization, and infrastructure controls. These controls are intended to prevent one Customer or pipeline session from accessing data belonging to another.
7. Vendors and Subprocessors
Aperture requires all vendors and subprocessors with access to Customer Data to maintain security standards that are consistent with or exceed the obligations set forth in this Addendum. Vendor security assessments are conducted prior to engagement and reviewed on a periodic basis. A current subprocessor list is available on request at security@runaperture.com.
8. Physical Data Center Controls
Physical and environmental controls for production infrastructure are operated by Google Cloud and any other approved hosting subprocessors. The scope and validation of those controls are described in the applicable provider documentation and certifications, which belong to the provider rather than Aperture. These controls generally include:
- Controlled building access with multi-layered physical security, including badge access, biometric verification, and visitor management;
- Closed-circuit television (CCTV) monitoring and recording at facility entry points and critical infrastructure areas;
- Fire detection and suppression systems;
- Backup power and redundancy systems to maintain availability during infrastructure failures;
- Climate control and environmental monitoring to protect equipment from temperature, humidity, and other environmental hazards.
9. Incident Detection and Response
In the event of a confirmed security incident affecting Customer Data ("Security Incident"), Aperture will:
- Notify Customer without undue delay and within any period required by applicable law or the governing agreement, using Customer's designated security contact;
- Take reasonable steps to contain and mitigate the effects of the Security Incident;
- Preserve relevant logs and evidence according to the applicable retention class, legal hold, and contractual requirements;
- Provide Customer with the following information, to the extent known at the time of notification and supplemented as additional information becomes available:
- The nature and scope of the Security Incident;
- The likely consequences of the Security Incident;
- The status of Aperture's investigation; and
- The measures taken or proposed to contain and mitigate the Security Incident.
10. Audit Logging
Aperture creates audit records for security-relevant events supported by the Service, including access, administrative actions, and material state changes. Retention depends on record class, legal hold, customer agreement, and operational need. Controls for integrity and access are applied according to the relevant storage system and retention class.
11. Customer Audit Rights
- Upon reasonable written request, Aperture will provide then-current security documentation that Aperture is authorized to share, subject to confidentiality restrictions.
- Aperture will respond to reasonable security questions within a commercially reasonable timeframe. The scope of any questionnaire, audit, or report commitment is governed by the applicable agreement.
- Aperture may engage qualified independent specialists when appropriate to investigate a Security Incident. Any customer-facing report or cost commitment will be governed by the applicable agreement and legal obligations.
12. Customer Responsibilities
Customer is responsible for the following security obligations in connection with its use of the Service:
- Ensuring that its use of the Service complies with the authorized use terms set forth in the Terms of Service and the applicable Order Form;
- Maintaining the confidentiality and security of all access credentials, API keys, and authentication tokens issued to Customer and its authorized users;
- Ensuring that Customer's IT systems, devices, and software used to access the Service are current, properly configured, and maintained with up-to-date security patches.
13. Business Continuity and Disaster Recovery
Aperture maintains continuity and recovery procedures proportionate to the Service's current architecture and risk profile. Those procedures are designed to address:
- Service restoration and dependency recovery;
- Customer and internal communication during a material disruption;
- Recovery objectives or other commitments documented in the applicable agreement.
Questions about this Security Addendum should be directed to security@runaperture.com