Skip to content
Aprendly dark modeAprendlyAprendly
HomeFeaturesPricingContactAbout
Sign in

Information Security Policy

ARANOVA implements the following technical and organisational measures to ensure the security, confidentiality, integrity, and availability of information processed on Aprendly, in accordance with Article 32 of the GDPR.

1. Encryption

  • In transit: TLS 1.3 minimum. HSTS enabled.
  • At rest: AES-256 for stored data, databases, and backups.

2. Access Control

  • Users: OAuth 2.0 / NextAuth.js. Passwords stored as hash (bcrypt). JWT sessions with expiry.
  • Staff: Mandatory multi-factor authentication (MFA). Principle of least privilege. Access logging. Quarterly permission reviews.

3. Backups

  • Daily full backups, AES-256 encrypted, 30-day retention, geographically separate storage. Monthly restoration tests.

4. Monitoring

  • Centralised logging. Continuous intrusion detection. Alerts for critical events.

5. Vulnerability Management

  • Weekly dependency updates (Dependabot/Renovate/AiSecBoox). SAST in CI/CD pipeline. Annual penetration testing.

6. Secure Development

  • All changes pass code review and automated tests. Secrets managed exclusively via environment variables. Automated dependency auditing.

7. Incident Management

  • Detection: Reported via designated channel.
  • Response: Initial response within 4 hours. Containment within 8 hours.
  • Notification: AEPD within 72 hours of a personal data breach. Affected users notified without undue delay if high risk.
  • Post-mortem: Root cause analysis and corrective measures.

8. Infrastructure

  • Primary cloud provider: Arsys Internet S.L. (web application infrastructure and hosting), located in Spain.
  • Secondary cloud providers:
    • Amazon Web Services (AWS): S3 image storage with CDN and backups, eu-south-2 region (Spain).
    • Google Cloud Platform: BigData (Cloud Storage and BigQuery) and OAuth authentication, European region (Spain).
  • Database: Arsys (unmanaged PostgreSQL cluster), encrypted at rest and in transit, self-administered.
  • Cloud gateway: Aranova Cloud Gateway for AWS S3 access management.
  • Certifications: Infrastructure providers hold ISO 27001, SOC 2, and GDPR compliance. All data is stored within the European Economic Area.

9. Training

Initial security training for all staff. Annual refresher sessions. Periodic phishing awareness campaigns.

10. Review

Reviewed annually. Last reviewed: 20 June 2026.

Aprendly

Secure your digital legacy. Organize, protect, and automate the transmission of your digital assets so your family knows exactly what to do.

Service

  • Features
  • Pricing

Company

  • About
  • Contact

Legal

  • Legal Notice
  • Privacy Policy
  • Cookie Policy
  • [+]
  • aprendly
  • aprendly
  • Aprendly

Copyright © 2026 Aprendly