Security

Security at APUA

Legal data demands the highest standard of protection. Security at Apua.ai is not a feature — it is the foundation the entire platform is built on.

EU-sovereign by architecture

All infrastructure runs in GCP europe-north1 (Finland). No EU tenant data transits outside the EU. This is a contractual and architectural guarantee enforced at the network, storage, and application layers. It is not a configuration toggle.

Five layers of encryption

Every piece of data in Apua.ai passes through five independent encryption layers:

1. Transport

TLS 1.3 on all external traffic. Mutual TLS (mTLS) between all internal services.

2. Storage

AES-256 encryption with customer-managed keys (CMEK) and 90-day automatic rotation.

3. Database

Row-level security on every tenant-scoped table. Application bugs cannot bypass isolation.

4. Document

Per-document envelope encryption. Each document has its own key, encrypted with the tenant's master key.

5. AI context

Vector search and LLM context are always scoped to tenant. No cross-tenant inference is possible.

Tenant isolation

Every tenant's data is isolated at the database, cache, storage, LLM prompt, and vector search layers independently. Enterprise clients may bring their own encryption keys (BYOK) — revoking the key renders their data permanently inaccessible, even to APUA.

Audit trail

Every data mutation is logged in a hash-chained, append-only audit trail. Entries are linked by SHA-256 hashes, making tampering cryptographically detectable. Audit logs are retained for a minimum of 10 years.

GDPR compliance

Apua.ai is designed for full GDPR compliance. We support data access, export, rectification, and erasure requests. A Data Processing Agreement (DPA) is signed with every customer before onboarding. Subprocessor list is available on request.

Questions

For security enquiries or to request our security whitepaper, contact us at security@apua.ai.