Client Assurance: Security, Privacy & Compliance
Aetos is a consulting firm. We don’t host client production systems; we work primarily in approved tools and share files via preapproved channels. This page explains how we handle data, secure our operations, and support procurement due diligence.
Aetos Security & Privacy — Overview
Last updated: September 11, 2025
This page explains how we protect data, how long we keep it, and how we work with vendors. It’s written in plain English for customers, partners, and auditors.
Security overview
Access
SSO + MFA required for company systems and primary SaaS tools.
Least‑privilege roles; admin access is time‑bound and logged.
Offboarding within one business day; accounts are removed and keys rotated.
Devices
Screen‑lock, physical controls, and auto‑updates on Aetos laptops.
Malware protection is centrally managed.
No client production data stored on devices.
Patching & updates
Critical security updates ≤ 14 days; high severity ≤ 30 days.
Browsers and core apps auto‑update.
Secrets & keys
Stored in a vault.
Keys/tokens rotate on a schedule and on personnel change.
Logging & reviews
Central log collection for admin/auth/data‑access events.
Alerts on anomalous logins, permission changes, large exports.
Quarterly access reviews for admins and high‑risk roles.
Data handling & retention
We keep only what we need, for as short a time as practical. Contract and law may set stricter timelines.
| Dataset | System(s) | Default retention | Notes / exceptions |
|---|---|---|---|
| Meeting recordings & transcripts | Fireflies | ≤ 30 days | Kept longer only if they become deliverables (then follow Deliverables row). |
| Chats, messages & files | Slack | ≤ 90 days | Channels with deliverables point to Drive/Notion; exports to archives must match retention. |
| Working files & drafts | Google Workspace (Drive) | ≤ 180 days | Deliverables moved to a project folder with controlled sharing. |
| Deliverables & contracts | Drive/Notion | Life of engagement + 90 days | Or per contract. |
| Email (operational) | Google Workspace (Gmail) | ≤ 180 days | Legal holds pause deletion for affected mailboxes/labels. |
| CRM contacts & deal history | Salesflare | Engagement + 90 days | DSARs honored; deletion on termination. |
| Scheduling metadata | Calendly, Reclaim.ai | ≤ 180 days | Event bodies minimized; no sensitive content. |
| Automation metadata | Zapier | ≤ 90 days | Zaps designed to avoid storing content and secrets. |
| Analytics & consent logs | GA4, Microsoft Clarity, Cookiebot | 12 months | Kept to prove consent and honor opt‑outs (or as legally required). |
Deletion process
Automated where supported (native auto‑deletion/API jobs).
Verified manual deletion for special requests (we record evidence).
Legal holds pause deletion until cleared.
Vendor management (third‑party risk)
We do our best to select vendors that support SSO/MFA, encryption at rest & in transit, signed DPAs, and independent assurance (SOC 2/ISO 27001).
Vendors are tiered by data sensitivity and criticality; review targets: Tier 1 quarterly, Tier 2 semiannual, Tier 3–4 annual.
We keep a register with DPAs, certifications, subprocessor lists, and renewal dates.
On contract end, we export or request deletion and verify completion.
We provide a standard Data Processing Agreement when applicable. Request our DPA: hello@aetos-data.com (subject: “DPA request”).
Incident response
We notify affected clients promptly after confirmation and within contract/regulatory timelines. We contain, eradicate, and recover; reset credentials/keys; add detections; and, whenever possible, analyze root cause in order to take corrective actions.
Privacy statement
See our full website Privacy Notice for how we collect, use, and share information.
For client data we usually act as a processor; for our own operations data we act as a controller.
We support access, correction, deletion, and export requests in line with law and contract.
Scope & disclaimers
This page describes current controls and targets. Client contracts may define stricter requirements. We may update this page as our program evolves.