Legal

Security

Last updated: 2 May 2026

Aucava takes security seriously. This page describes how we run our platform and how you can contact us if you've found something.

Platform security at a glance

  • Hosting: Amazon Web Services, UK and EU regions only.
  • Transport: TLS 1.2 or higher with HSTS on every public endpoint.
  • Encryption at rest: tenant data encrypted at rest with per-tenant key isolation.
  • Access control: least-privilege access with multi-factor authentication required for all engineering access.
  • Audit: infrastructure audit logging plus an application-level audit trail. Logs retained for the duration of the customer contract.
  • Dependency hygiene: automated dependency scanning on every build.
  • Vendor attestations: attestations passed through from our underlying infrastructure providers. Relevant attestation letters are available to prospective customers on request under NDA.

Responsible disclosure

If you believe you have found a security vulnerability in Aucava, please email security@aucava.ai. We prefer plain email. Encrypted mail is welcome (PGP key available on request).

In scope:

  • aucava.ai (the marketing website).
  • The Aucava Slack app.
  • Named production services and endpoints disclosed to a researcher by Aucava in response to a scoping email.

If you have discovered something on an unlisted host or subdomain that you believe belongs to Aucava, please email us first rather than probing further. We will confirm whether it is in scope and expand the engagement if appropriate.

Out of scope:

  • Third-party vendor infrastructure we do not own (AWS, Vercel, Slack, etc.).
  • Denial-of-service or volumetric testing without prior written authorisation.
  • Social engineering attacks against our staff or customers.

Our commitments:

  • We will acknowledge your report within two UK business days.
  • We will provide an update on triage and remediation within ten UK business days.
  • We will not pursue legal action against good-faith security researchers who follow this policy.
  • We are happy to credit you publicly once an issue is remediated, if you would like.

Contact

Security contact: security@aucava.ai

Machine-readable policy: /.well-known/security.txt