Data Handling

Aurelis Technology implements strict data handling practices to ensure the confidentiality, integrity, and availability of client data throughout its lifecycle.

Data Types Processed

Automotive Parts Pricing Data

Commercially Sensitive

Core business data processed by the Aurelis Pricing Suite. This includes parts pricing information, pricing models, and related commercial data. This data is commercially sensitive but does not constitute personal data.

User Account Information

Basic Personal Data

Email address, first name, and last name stored for user authentication and account management purposes. No additional personal identifiable information (PII) is collected or processed.

Data Lifecycle

1

Collection

Data enters the system through client-configured imports or API integrations. Only the minimum required data is accepted.

2

Processing

Data is processed within the client's isolated AWS subaccount. All computation occurs in private subnets with no public internet exposure.

3

Storage

Data is stored in encrypted databases (AES-256 via AWS KMS) within the client-chosen AWS region. No cross-region storage occurs.

4

Backup

Automated encrypted backups are taken on a regular schedule. Backups are stored in the same AWS region and encrypted with the same standards as primary data.

5

Retention

Data is retained for the duration of the service agreement. Retention periods for specific data types are defined in client contracts.

6

Deletion

Upon contract termination, all client data — including backups — is permanently deleted within 30 days. Deletion is verified and confirmed in writing upon request.

Data Residency

All client data is stored and processed exclusively within the client-chosen AWS region. There is no cross-region data transfer. This ensures compliance with data residency and sovereignty requirements.

Data Isolation

Each client is deployed as a separate subaccount within the Aurelis Technology AWS Organization. This provides account-level isolation, ensuring complete separation of data, compute, network, and encryption keys between clients.

Data Retention & Deletion

  • Client data is retained for the duration of the service agreement
  • Upon contract termination, all client data is deleted within 30 days
  • Backups containing client data are purged according to the backup retention schedule
  • Clients may request data export in standard formats at any time
  • Deletion is verified and confirmed in writing upon request

Subprocessors

SubprocessorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure provider — compute, storage, database, networking, and security servicesClient-chosen AWS region
Aikido SecurityApplication security scanning and vulnerability managementEU

Shared Responsibility Model

Security is a shared responsibility between Aurelis Technology, AWS, and the client. The table below clarifies ownership boundaries.

AreaAurelisAWSClient
Physical infrastructure & data centersFull responsibility
Network & compute security (VPC, ECS, ALB)Configuration & monitoringUnderlying service availability
Application security & patchingFull responsibility
Data encryption (at rest & in transit)Configuration & key managementEncryption service availability
User access & authenticationSSO integration, RBAC enforcementCognito service availabilityUser provisioning, MFA enrollment
User credentials & passwordsSecure storage & policiesPassword hygiene, MFA usage
Client data accuracyIntegrity during processingData quality at input
Incident responseDetection, containment, notificationUnderlying infrastructure incidentsInternal response & remediation

Data Processing Agreement

Aurelis Technology provides a comprehensive Data Processing Agreement (DPA) to all clients. Our standard DPA covers the scope and purpose of processing, security obligations, subprocessor management, breach notification procedures, and data subject rights assistance.

Our standard DPA is available upon request. Contact service@aurelistechnology.com to obtain a copy.