Security Policy
How aimp.dev protects customer data, platform integrity, and service availability.
Last updated: July 2026
1. Scope
This Security Policy describes the technical and organisational measures aimpworks ltd ("we", "us") applies to safeguard the aimp.dev platform, customer data, and related systems. It supplements our Privacy Policy and Data Processing Addendum.
This Policy is intended to provide transparency about our security practices. It is not a guarantee that security incidents will never occur.
2. Security Principles
- Confidentiality — protect data from unauthorised access.
- Integrity — keep systems and data accurate and unaltered.
- Availability — maintain resilient, recoverable services.
- Least privilege — limit access to what is required for each role.
- Defence in depth — layer controls across infrastructure, application, and operations.
- Privacy by design — minimise data collection and embed protection into product decisions.
3. Governance
We maintain an information security programme appropriate to the nature and scale of our Service. Security responsibilities are assigned internally, and we review controls as the platform evolves.
We align our practices with widely recognised frameworks and guidance where practical, including OWASP application security guidance and GDPR/UK GDPR requirements for technical and organisational measures. We do not represent that we hold specific third-party certifications unless we state otherwise in a signed agreement.
4. Infrastructure and Network Security
- Hosted on reputable cloud infrastructure with provider-level physical and network protections.
- Encrypted connections (TLS) for data in transit between users and the Service.
- Network segmentation and access boundaries between production and non-production environments where applicable.
- Monitoring and alerting for abnormal traffic, errors, and service health.
5. Application Security
- Secure development practices, including code review and dependency management.
- Authentication and session protections for user accounts.
- Role-based access controls for administrative functions.
- Input validation and protection against common web application vulnerabilities.
- Logging of security-relevant events for investigation and audit.
6. Data Security
- Encryption at rest for stored customer data where supported by our infrastructure.
- Logical separation of customer data using tenant and workspace boundaries.
- Backup and recovery procedures for critical platform data.
- Data minimisation — we collect and retain only what is needed to operate the Service.
- Unless expressly agreed otherwise, we do not use Customer Content to train foundation models.
7. Access Control
- Strong authentication requirements for internal access to production systems.
- Multi-factor authentication for privileged access where available.
- Access reviews and revocation when roles change or employment ends.
- Confidentiality obligations for personnel with access to customer data.
8. Incident Response
We maintain procedures to detect, investigate, contain, and remediate security incidents. Where a personal data breach affects Customer Personal Data processed on your behalf, we will notify affected business customers without undue delay as described in our Data Processing Addendum.
Security incidents may be reported to security@aimp.dev.
9. Subprocessors and Third Parties
We engage vetted service providers to help operate the Service. They are subject to contractual data protection and security obligations appropriate to the services they provide. Subprocessor categories are described in our Subprocessor List; specific vendor names are available to business customers on request.
10. Customer Responsibilities
- Use strong passwords and protect account credentials.
- Configure workspace access, retention, and sending settings appropriately.
- Review connected integrations and revoke access that is no longer needed.
- Report suspected security issues promptly.
- Ensure lawful basis and appropriate notices when uploading recipient or contact data.
11. Certifications and Regulated Frameworks
We do not currently represent that the Service is HIPAA-compliant or suitable for processing protected health information (PHI) unless expressly agreed in writing. Customers in regulated industries are responsible for assessing whether the Service meets their compliance requirements.
If you require evidence of our security controls for procurement or audit purposes — such as a completed security questionnaire or subprocessor details — contact us at the address below.
12. Contact
Security inquiries: security@aimp.dev
Privacy and DPA inquiries: privacy@aimp.dev