Security built for the factory floor
Maecos runs in regulated environments where uptime, data integrity, and access control are non-negotiable. Our architecture reflects that from the ground up.
Maecos runs in regulated environments where uptime, data integrity, and access control are non-negotiable. Our architecture reflects that from the ground up.
Security is integrated at every stage of development and operations, not bolted on after the fact.
Built on hardened, compliant, continuously maintained AWS services. No on-premise servers, no internal office network.
Every customer gets their own container and their own database. Your data is logically separated and encrypted at rest.
Security controls aligned with the ISO 27001 framework. Formal InfoSec policy maintained and reviewed annually, supported by a central risk register and structured control assessments.
GDPR rights fully supported. All customer data can be exported or deleted upon written request. DPO-style procedures in place for handling data subject requests. DPIAs conducted for major feature changes affecting personal data.
A standard DPA is available and can be signed as part of the onboarding process. A list of subprocessors is included in the DPA and available upon request. Custom DPA terms can be discussed.
All customer data is stored and processed exclusively within the European Union (AWS eu-west-1). No data is transferred to third countries.
Central risk register maintained with assessments conducted for new features. All contractors sign NDAs and adhere to internal policies.
Structured joiner-leaver process. Background checks and NDA requirements for all team members and contractors.
Customer data is retained for the duration of the contract. Upon termination, all data is exported to the customer and permanently deleted from our systems within 90 days, including backups.
Maecos is deployed in GxP-regulated manufacturing environments including food, pharma, and chemicals. The platform supports audit trail requirements, controlled document workflows, and training record traceability expected in these sectors.
Maecos is hosted on AWS in the EU (eu-west-1). Each customer tenant runs in its own container on ECS Fargate, with a dedicated database on an Aurora HA cluster. Separate environments for production, staging, and testing, each with its own ECS and database clusters.
AWS, EU region (eu-west-1)
ECS Fargate, one container per tenant
Dedicated database per customer on Aurora HA cluster
S3 buckets per tenant, encrypted with KMS
Secure on-premise agent for IT/OT integration
CloudFront for static assets and edge delivery
99.9% target uptime. Negotiable SLAs available on request.
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 with AWS KMS-managed keys. Tenant containers run in isolated VPCs with private subnets. There is no internal office network. All infrastructure is cloud-only.
Inbound traffic passes through AWS WAF with DDoS protection, IP rate limiting, and path filtering. Secrets are managed via AWS Secrets Manager. Infrastructure is patched automatically.
Maecos supports enterprise identity management out of the box. Authentication integrates with your existing identity provider, and authorization is handled through fine-grained role-based access control.
SAML, OIDC, Azure AD. Extensible via custom integration.
Available through your identity provider.
Over 200 permissions. Role templates for Operator, Trainer, Team Leader, LMS Admin, and more. Fully configurable per tenant.
Permission assignment can be automated via LMS skill qualifications.
Configurable session timeout. IP whitelisting possible via SSO integration.
All actions are logged with timestamps and user attribution: login events, role changes, checklist completions, document approvals, training records, and API calls.
Security is part of the development lifecycle, not a separate gate. All pull requests go through mandatory peer review covering security, functionality, and quality. Static code analysis runs in the CI pipeline, and automated dependency scanning monitors CVE coverage and license compliance continuously.
Continuous application security monitoring and penetration testing are handled externally through Aikido Security, covering vulnerability detection, DAST, and compliance posture. Combined with regular threat modelling internally. Dev and test environments never contain live customer data. Only anonymized or generated datasets are used.
Full-stack observability covers logs, metrics, and traces from every container and function. Alerts are routed to on-call engineers and team channels for immediate response.
Full audit trail including login events, role changes, and API calls. 30 days online, archived longer in encrypted S3 buckets.
Documented incident response plan with triage, escalation, root cause analysis, and notification within 72 hours where applicable.
Automated daily and monthly backups, all encrypted using AWS KMS. Restore procedures are validated yearly. The platform uses a multi-AZ failover strategy and is recoverable in alternate availability zones.
Fully cloud-native, distributed design. Operates independently of any physical office infrastructure.
If you discover a security vulnerability in Maecos, we want to hear about it. Please report it responsibly so we can investigate and address it before it affects customers.
Email security@maecos.com with a description of the issue, steps to reproduce, and any supporting evidence. We will acknowledge receipt within two business days.
Give us reasonable time to investigate and fix the issue before disclosing it publicly. Do not access or modify customer data. Do not use automated scanning tools against production systems without prior coordination.
We are happy to provide deeper technical documentation or schedule a call with our team to walk through your specific requirements.