This page summarizes the security commitments that apply to Appfluence's two products — Priority Matrix (PM) and AngerAlert (AA) — and is intended for customers, prospects, and auditors. Where controls are identical across both products, statements apply to both. Per-product differences are marked inline with (PM only) or (AA only).

1. Our Approach to Security

Appfluence operates a written information security program that covers both products and all personnel. The program is grounded in a documented set of policies — information security, data classification, access control, vendor management, incident response, business continuity, and others — that are reviewed at least annually. Appfluence is currently undergoing a SOC 2 Type II audit; the report will be available to customers under NDA once issued. Microsoft 365 App Certification is also in progress for our Microsoft-integrated offerings.

2. Hosting and Infrastructure

All production infrastructure for both products is operated on Amazon Web Services (AWS) in the us-east-1 region. AWS provides the underlying physical security, environmental controls, and platform-level certifications (SOC 2 Type II, ISO 27001, and others) that we rely on; we review AWS's SOC 2 report at onboarding and annually thereafter.

• Priority Matrix (PM only): runs on AWS EC2 (auto-scaled behind a managed load balancer) with an RDS MySQL primary database on a private subnet, plus OpenSearch for search indexing. Direct database access is restricted to application servers within the VPC.
• AngerAlert (AA only): runs on AWS ECS Fargate with DynamoDB for data storage, AWS Lambda for stateless email processing, and S3 for attachment storage. Production S3 attachment buckets use cross-region replication to us-west-2, with versioning and MFA delete enabled. Enterprise tenants run on dedicated DynamoDB tables for tenant isolation.

3. Encryption

• In transit: All customer connections use TLS 1.2 or higher. Plain HTTP is redirected to HTTPS at the load balancer and again at the application layer. Wireless networks used to access Appfluence systems require WPA-2 or stronger.
• At rest: Customer data is encrypted with AES-256 using keys managed by AWS KMS. (AA only) AngerAlert encrypts OAuth refresh tokens in its production database using AWS KMS, with automatic annual key rotation enabled. The standard multi-tenant deployment uses an environment-scoped KMS key; dedicated enterprise deployments are provisioned in their own infrastructure workspace and therefore use tenant-scoped KMS keys. DynamoDB row-level encryption is layered on top of AWS-managed table-level encryption for defense in depth.

4. Access Controls

Production access by Appfluence staff is governed by our Access Control and Termination Policy. Key requirements:

• SSO + MFA are required for all employee access to production. AWS access is federated through Google Workspace via SAML 2.0 and AWS IAM Identity Center, with MFA enforced at the identity-provider level. There are no long-lived AWS access keys.
• Least-privilege IAM is enforced through scoped permission sets and per-service IAM roles (for example, ECS task roles in AA are scoped only to the specific DynamoDB tables, KMS keys, and S3 buckets each service needs).
• Quarterly access reviews validate that each privileged user still requires their access; access that is no longer justified is revoked and logged.
• 90-day dormant-account review: any account on critical infrastructure that has not been used in 90 days is disabled or deleted unless a documented business justification exists.
• Access keys and passwords for critical infrastructure are rotated at least every 90 days. Terminated employees lose access within one business day.
• Administrative shell access to production is performed via AWS Systems Manager Session Manager; no public SSH bastion or inbound SSH is exposed.

5. Sub-processors

The following third parties may process customer data on Appfluence's behalf. Each sub-processor is governed by a Data Processing Addendum (DPA) or equivalent contractual commitment, and is subject to the annual review described in our Vendor Management Policy.

Priority Matrix (PM only)

Sub-processor	Purpose
Amazon Web Services (AWS)	Primary hosting: EC2, RDS, OpenSearch, S3, CloudFront, SES, Backup, CloudTrail
Microsoft Azure	SSO identity provider; optional Azure OpenAI for AI features (customer opt-in)
Google Workspace	SSO identity provider; corporate email used to communicate with customers
Stripe	Payment processing and subscription billing (PCI DSS Level 1)
SendGrid (Twilio)	Transactional email delivery for product notifications
OpenAI / Azure OpenAI	Optional AI features (task expansion, project generation); customer-controlled opt-in
Sentry	Application error monitoring
Apple	App Store distribution for native iOS / macOS clients

AngerAlert (AA only)

Sub-processor	Purpose
Amazon Web Services (AWS)	Primary hosting: ECS Fargate, Lambda, DynamoDB, S3, KMS, SES, ALB + WAF
Microsoft (Microsoft Graph API)	OAuth-based access to Microsoft 365 mailboxes for email triage
Google (Gmail API / Workspace)	OAuth-based access to Gmail for email triage
Stripe	Payment processing and subscription billing
SendGrid (Twilio)	Transactional email delivery for notifications
Sentry	Application error monitoring

An updated list is maintained in our internal Vendor Management Policy and is available to customers under NDA on request. Material changes to this list are communicated as described in section 12.

6. Data Retention and Deletion

Retention is governed by our Data Retention Policy and varies by data class and product:

• (PM only) Customer task and project data is retained while the user account is active. Accounts inactive for three years are sent a 30-day deletion notice with a self-serve data export link. After deletion, residual data persists only in the RDS point-in-time-recovery window for up to 7 days before automatic expiration.
• (AA only) Email metadata and sentiment scores are retained for 90 days; email notification history is retained for 30 days via DynamoDB TTL; audit logs are retained for 13 months. When a user disconnects an integration, the stored OAuth tokens are deleted from Appfluence systems immediately; we recommend that customers also revoke the application's access in the provider's admin console (Microsoft Entra ID, Google Workspace) so the underlying provider tokens are invalidated. Residual data persists only in the DynamoDB PITR window for up to 35 days.
• Application and security logs are retained for at least 13 months (400 days) in AWS CloudWatch.
• Customers may export their data at any time via the in-product self-serve export described in our GDPR commitment, and may request deletion at any time. Upon contract termination, data is deleted from production systems and remaining backup copies expire on the schedules above.

7. Backups and Disaster Recovery

Per our Business Continuity and Disaster Recovery Policy:

• (PM only) RDS automated backups with point-in-time recovery enabled and a 7-day window. EC2 instance recovery points are managed by AWS Backup with a 14-day retention. Backup vaults use AWS Backup Vault Lock in compliance mode to prevent tampering.
• (AA only) DynamoDB continuous backups with 35-day point-in-time recovery; daily snapshots retained 30 days and monthly snapshots retained 12 months via AWS Backup. S3 attachment buckets are versioned and replicated cross-region.
• Recovery is tested at least biannually using AWS Backup restore jobs into non-production environments, with results tracked in our internal task system.

Our published recovery objectives for typical enterprise customers are:

Service	RTO	RPO
Priority Matrix	4 hours	2 hours
AngerAlert	8 hours	4 hours

Specific service-level agreements may be negotiated as part of an enterprise contract.

8. Vulnerability Management

Per our Security Processes and Penetration Testing Policy:

• SAST runs on every pull request via DeepSource; the master branch is protected and requires review before merge.
• DAST is run quarterly against production endpoints (currently OpenVAS, transitioning to Amazon Inspector during 2026). Internal and external vulnerability scans run at least monthly.
• Dependency monitoring: direct and transitive dependencies are inventoried in product-level Software Bill of Materials documents and reviewed each quarter and on every security advisory affecting a listed package.
• Patch / remediation SLAs (from detection): Critical — 14 days; High — 30 days; Medium — 60 days; Low — 90 days. These targets are aligned with CISA Binding Operational Directive 22-01.
• Annual third-party penetration testing covers both products' web applications, APIs, OAuth flows, and AWS configuration. Findings are remediated to the SLAs above and re-tested by the original firm. Executive summaries are available to customers under NDA.
• Production servers run anti-malware (ClamAV) with daily signature updates, and Wazuh provides host-based intrusion detection and SIEM event correlation.

9. Incident Response and Breach Notification

Our Incident Response Policy defines a single workflow used by the founders, with an Incident Commander, a Communications Lead, and an Infrastructure / Forensics lead. Incidents are classified P1 / P2 / P3 with documented response cadences, containment-before-recovery requirements, evidence preservation, and a postmortem within five business days of closure. The team conducts annual tabletop exercises against scenarios from the risk register.

Customer notification commitment: in the event of a confirmed security incident affecting customer data, Appfluence will notify affected customers without undue delay and in any case within 72 hours of confirmation, in alignment with GDPR Article 33. Notifications include the nature of the incident, categories and approximate volume of data affected, likely consequences, and the measures taken or proposed to address it.

10. Compliance and Audits

• SOC 2 Type II — program in place; audit currently in progress. The final report will be available to customers under NDA when issued.
• GDPR — Appfluence has been GDPR-compliant since May 2018. Subject Access Requests, our DPO contact, and our mailing address are documented on our GDPR page.
• HIPAA — a Priority Matrix HIPAA edition is available for covered entities under a Business Associate Agreement. See hipaa.prioritymatrix.com for details.
• Microsoft 365 App Certification — in progress.
• AWS, Microsoft, Google, Stripe, SendGrid sub-processors maintain SOC 2 Type II and other applicable certifications, which we review at onboarding and at least annually.

To request the SOC 2 report (when issued), an executive summary of our latest penetration test, or sub-processor documentation under NDA, please email security@appfluence.com.

11. Reporting a Vulnerability

If you believe you've found a security vulnerability in Priority Matrix or AngerAlert, please report it to security@appfluence.com. We acknowledge new reports within 2 business days and work with the reporter through validation, remediation, and disclosure.

Safe harbor: Appfluence will not pursue legal action or report to law enforcement security researchers who, in good faith, follow the guidelines below:

• Test only against accounts you own or have explicit permission to test; do not access, copy, or exfiltrate other users' data.
• For AngerAlert specifically, do not access, read, or copy real user email content — use synthetic data in test tenants only.
• Avoid actions that could degrade service for other users (denial-of-service, automated mass scanning that affects availability, social engineering of staff or customers).
• Give us a reasonable opportunity to remediate before publicly disclosing the issue.

Researchers who follow these guidelines are eligible for our bug-bounty program. Vulnerabilities in marketing or non-production websites are out of scope.

12. Document Versioning

Last updated: 5 May 2026.

This page is reviewed at least annually and whenever the underlying internal policies change in a way that affects external commitments. Material changes will be communicated by email to active customers and reflected on this page. For previous versions, contact security@appfluence.com. For related public documents, see also our Privacy Policy, Priority Matrix EULA, and the AngerAlert EULA.