SOC 2 Type II (in audit)ISO 27001 (in audit)GDPRHIPAA-ReadyArchitected for 99.99%

Enterprise-Grade by Default

Deployed in isolated environments, secured by native SAML/OIDC identity, and architected for 99.99% availability. Aforo meets the strictest procurement and compliance requirements, SOC 2 Type II and ISO 27001 audits underway, GDPR-compliant data processing, HIPAA BAA available on request.

Contact Enterprise SalesRead Security Docs
Trust Center

Four Pillars of Enterprise Readiness

Security, identity, infrastructure, and support, each pillar engineered to clear your most rigorous procurement reviews.

SECURITY & COMPLIANCE

Compliance-ready architecture

SOC 2 Type II audit underway (report available on completion)
ISO 27001 audit underway
GDPR & CCPA Data Processor Compliant
HIPAA-Ready (BAA available on request)
PCI-DSS via Stripe SAQ-A
256-bit AES encryption at rest and in transit
IDENTITY & ACCESS MANAGEMENT

Zero-Trust Architecture

Native SAML 2.0 & OIDC integration
Granular Role-Based Access Control (RBAC)
Enforced MFA at the tenant level
Custom Session TTL policies
DEPLOYMENT & INFRASTRUCTURE

Isolated & Resilient

Logical and physical tenant database isolation
AWS / GCP VPC Peering Options
Architected for 99.99% availability (status page link in footer)
Multi-Region redundancy
SUPPORT & OPERATIONS

White-Glove Support

Dedicated Technical Account Manager (TAM)
Shared Slack Connect Channel for real-time triage
Custom MSAs & Invoicing
24/7 Severity 1 incident paging
99.99%

Architected for

High-availability design; see status page

AES-256

Encryption standard

At rest and in transit

<4 hrs

Sev-1 response target

Available with Enterprise SLA

Zero

Cross-tenant data risk

Full logical isolation

Security Architecture

Defense in Depth, by Design

Not bolted on after launch. Every security control is part of the core architecture from day one.

Data Encryption

01AES-256-GCM encryption for all credentials and secrets at rest
02TLS 1.3 enforced on all service-to-service communication
03Per-tenant encryption key derivation, no shared master key exposure

Identity & Authentication

01Enterprise SSO via SAML 2.0, OIDC, and OAuth 2.0 with PKCE
02Tenant-level MFA enforcement with configurable session TTL
03JWT-based inter-service auth with short-lived, non-replayable tokens

Tenant Isolation

01Separate database schemas per tenant, no shared tables, no row-level filtering
02Isolated Redis cache keyspaces, Kafka topic prefixes, and event streams
03TenantContext propagation enforced on every service call, scheduler, and async worker

Audit & Observability

01Immutable, append-only audit trail on every configuration and financial change
02Distributed tracing (OpenTelemetry) across all 11 microservices
03Exportable audit logs for SOC 2 evidence collection and vendor security reviews
Procurement Ready

Pass your vendor security review on the first attempt

SOC 2 Type II audit underway, report shareable on completion under NDA
ISO 27001 audit underway
GDPR Data Processing Agreement (DPA) executed on request
HIPAA Business Associate Agreement (BAA) available on request
PCI-DSS via Stripe (SAQ-A)
Annual penetration test results shareable under NDA
Custom MSA and security addendum supported
Dedicated CSM and TAM assigned for Enterprise contracts
Custom SLA terms documented in Enterprise contract
Data residency options (US, EU) with isolation guarantees

Ready to clear your security review?

Our enterprise team will walk your InfoSec, Engineering, and Procurement stakeholders through the full security architecture, compliance posture, and deployment options.

Contact Enterprise SalesSee Pricing