Security & Compliance

Your data, your keys. Not ours.

Financial data demands the highest standard of protection. Airtight goes beyond industry requirements with per-tenant encryption, cryptographic shredding, and zero-trust architecture.

AES-256

Encryption

Data Residency

AU, US, EU, GCC

Zero Trust

Architecture

Certification roadmap SOC 2 Type II — Target: Q4 2026 ISO 27001 — Target: Q1 2027

Per-tenant encryption

Every organisation on Airtight gets its own encryption keys. This is not shared-key encryption where a breach exposes everyone. Your data is sealed in its own cryptographic envelope.

CMK

Master

KEK

Wrapping

DEK

Per-Tenant

Field Key

Your Data

Data Encryption Keys (DEKs)

Each organisation gets a unique AES-256 DEK. Your financial data is encrypted at rest with this key. The DEK is wrapped by a master Key Encryption Key (KEK) and stored separately from your data.

Key rotation

Keys rotate automatically without re-encrypting existing data. New data uses the new key. Old data remains accessible through a key version chain. Zero downtime. Zero data loss.

Cryptographic shredding

When you delete your account, we destroy your encryption keys. The data becomes permanently unreadable — even by us, even with a court order. This is cryptographic deletion, not file deletion.

Bring Your Own Key (BYOK)

Enterprise customers can supply their own encryption keys managed through their cloud KMS (AWS KMS, Azure Key Vault, Google Cloud KMS). You hold the keys. Literally.

Infrastructure & architecture

Zero-trust network

Every request is authenticated and authorised, regardless of origin. No implicit trust based on network location. mTLS between all services. API gateway with rate limiting and threat detection.

Data residency

Choose where your data lives: Australia, United States, European Union, or GCC. Data never leaves your chosen region. Compliant with GDPR, Australian Privacy Act, and DIFC data protection regulations.

Encryption in transit

TLS 1.3 enforced on all connections. HSTS headers with minimum one-year max-age. Certificate pinning on mobile applications. No fallback to older protocols.

Penetration testing

Annual third-party penetration testing with results summary available on request. Continuous automated vulnerability scanning. Bug bounty program (launching Q3 2026).

Backup & disaster recovery

Automated hourly backups with point-in-time recovery. Cross-region replication for disaster recovery. Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour.

Uptime commitment

99.9% uptime SLA for Business and Professional plans. 99.99% uptime SLA for Enterprise. Transparent status page with real-time incident reporting.

Compliance roadmap

We are building toward the highest industry standards. Here is where we stand.

GDPR

Current

Compliant

Australian Privacy Act

Current

Compliant

PCI-DSS

Current

Via payment processor

SOC 2 Type II

Q4 2026

Audit preparation underway

ISO 27001

Q1 2027

On certification roadmap

DIFC Data Protection

Q2 2027

On certification roadmap

Active In progress Planned

Security questions? We have answers.

Our security team is available to discuss your requirements, provide documentation, and walk through our architecture.

Request security review Download security whitepaper