AssetOS :/>
ContactSign inStart free trial
Security center

Built to earn your trust.

Asset management systems hold sensitive operational data — maintenance history, compliance records, site access details. We take that responsibility seriously. Here's exactly what we do to protect it.

GDPR compliant

Data Processing Agreement available on request. EU data stored in Europe. UK ICO registration: ZB441829.

Request DPA →
Microsoft Defender

Fortune-500 malware scanning on every uploaded file, every plan, no add-on required.

Annual pentest

Independent third-party penetration test every year. Findings remediated within 30 days. Summary available under NDA.

Request summary →

Security controls in full.

No marketing spin. Every control we run, stated plainly.

Data protection
Encryption in transit
TLS 1.3 minimum — all API, browser, and mobile traffic.
Encryption at rest
AES-256 for all database fields, file attachments, and backups.
Key management
Envelope encryption with Azure Key Vault. Tenant-specific key hierarchy.
Data residency
Default: EU. US region available on request. Enterprise: data-residency pinning.
Backups
Daily snapshots, 30-day retention. Point-in-time recovery within 7 days.
Access & identity
SSO
SAML 2.0 with Okta, Azure AD, Google Workspace, and any SAML-compliant IdP.
MFA
TOTP, WebAuthn/passkeys, and push. MFA can be enforced at org level.
RBAC
Four built-in roles with least-privilege defaults. Custom roles on Enterprise.
Session management
Configurable session timeout. Token rotation on privilege change. Remote logout.
API tokens
Scoped API keys with expiry. All tokens logged in audit trail.
Infrastructure
Hosting
Microsoft Azure. Isolated per-region deployment.
Uptime SLA
99.9% monthly uptime SLA on Enterprise. Status at status.assetos.com.
DDoS protection
Azure DDoS Protection on all edge endpoints.
Vulnerability management
Weekly automated scans. Critical patches within 24 hours of disclosure.
Penetration testing
Annual third-party pentest. Results available under NDA to Enterprise customers.
File security
Malware scanning
Every uploaded file scanned by Microsoft Defender for Cloud before storage. Included in every plan.
File type restrictions
Configurable allowlist per workspace. Executables blocked by default.
Access-controlled downloads
Signed URLs with short TTL. No direct cloud storage access.
Compliance & audit
GDPR
DPA available on request. Lawful basis: legitimate interest / contract performance.
Audit log
All user actions logged with actor, timestamp, and IP. 90-day retention standard; unlimited on Enterprise.
Data export
Full data export (CSV, JSON, PDF) available to any admin at any time — no support ticket required.
Right to erasure
GDPR deletion request fulfilled within 30 days. Confirmation provided.
Breach notification
DPA supervisory authority notified within 72 hours. Affected customers notified within 30 days.

Responsible disclosure

If you've found a security vulnerability in AssetOS, please report it to us privately. We commit to:

  • Acknowledge your report within 1 business day
  • Provide a fix timeline within 5 business days
  • Credit you publicly (with permission) on patch release
  • Never pursue legal action against good-faith researchers
security@assetos.com →

Subprocessors

We use a small number of subprocessors. All are under a DPA with adequate safeguards in place.

Microsoft Azure
Hosting, storage & malware scanning
EU
Stripe
Payment processing
US · EU
Postmark
Transactional email
US (SCCs)
Sentry
Error tracking (PII scrubbed)
US (SCCs)

Security questions? Talk to us.

Enterprise customers can request the DPA, penetration test summary, and custom security questionnaire completion.

Contact security teamsecurity@assetos.com

Last reviewed: April 2026

We use cookies to analyze site traffic and improve your experience. Learn more