Security and compliance built into every layer.

AACFlow is designed for enterprises that operate in regulated industries. SOC 2 Type II certified, GDPR-compliant, and equipped with the controls your security team expects.

Request security review Security documentation

Certifications & compliance

SOC 2 Type II

Annually audited by independent third party

GDPR

EU data protection regulation compliant

CCPA

California Consumer Privacy Act compliant

ISO 27001

Information security management certified

Security features

A complete set of controls to protect your data and meet your compliance requirements.

Encryption at Rest & in Transit

All data encrypted with AES-256 at rest. All connections secured with TLS 1.3. Encryption keys managed per-tenant.

Single Sign-On (SSO)

SAML 2.0 and OIDC support for all major identity providers including Okta, Azure AD, Google Workspace, and PingIdentity.

SCIM Provisioning

Automatic user lifecycle management. New employees get access on day one. Deprovisioning happens instantly on termination.

Audit Logs

Immutable audit log of every action: who accessed what, when, and from where. Export to your SIEM in real time.

Data Residency

Choose where your data is stored: EU, US, or bring your own cloud region. Data never crosses region boundaries.

Zero-Trust Architecture

Every request authenticated and authorized at the API layer. No implicit trust between services. Network segmentation by default.

Frequently asked questions

Can I request a copy of the SOC 2 report?

Yes. Enterprise customers can request our SOC 2 Type II report under NDA. Contact your account manager or our security team at security@aacflow.com.

Where is my data stored?

By default, data is stored in the region you select during sign-up (EU or US). Enterprise customers can specify a custom region or configure a bring-your-own-cloud setup.

What is your breach response process?

In the event of a confirmed breach, AACFlow will notify affected customers within 72 hours as required by GDPR. Our incident response plan is available to enterprise customers on request.

Where can I find your list of subprocessors?

Our subprocessor list is maintained publicly in our security documentation and updated when new subprocessors are added. Enterprise customers are notified 30 days in advance of changes.

Ready to discuss your security requirements?

Our security team is available for detailed technical reviews and compliance questionnaires.

Talk to security team View security docs