Security on day one
SOC 2 Type II, ISO 27001, Kazakhstan data residency, 24-hour incident response. Everything your security team and your regulator ask for is already in place.
Pillars of our security program
Independently audited certifications, verifiable engineering practice, and transparent processes.
SOC 2 Type II
Annual audit by an independent CPA firm. Report available to enterprise customers under NDA.
ISO/IEC 27001:2022
Certified ISMS covering infrastructure, access, development, and incident management.
Encryption in transit and at rest
TLS 1.3 in transit, AES-256 at rest. Keys managed via KMS with monthly rotation.
PII masking
Built-in patterns for emails, phones, IBAN, national IDs. Policies configurable per key.
In-country data residency
All infrastructure physically in Kazakhstan: prod, backups, logs, billing. No cross-border transfer.
24/7 on-call
Named SRE on-call rotation. 15-minute response on P1, public post-mortems for every incident.
Annual pentest
External pentest by an accredited firm. Report and remediation plan available to enterprise customers.
Kazakhstan AI Law · GDPR · PDPA
Compliance labels per request, DPA with every enterprise customer, in-country data controller.
SSO · SCIM · RBAC
SAML/OIDC SSO, automated provisioning via SCIM, fine-grained RBAC in the superman admin panel.
Incident response
Transparent SLOs, fast escalation, public post-mortems.
Detection
Continuous monitoring of latency, errors, and anomalies. Automated P1 alerts within 2 minutes.
Response
15-minute first-response on P1, 1 hour on P2. A named incident commander owns the case.
Communication
Customers notified by email and on status.airouter.kz. Affected enterprise customers receive a direct call.
Post-mortem
Public post-mortem within 5 business days of resolution. Root cause, timeline, and remediation plan.
Report a vulnerability
We value responsible disclosure. Reach out via the contact form — we respond within 24 hours and coordinate CVE assignment where applicable.
Open the contact formRequest the security pack
SOC 2 and ISO reports, DPA, pentest findings — available to enterprise customers under NDA.