Security & Compliance

Maecos is built for process-industry environments where data integrity, availability, and regulatory compliance are non-negotiable. Security is integrated at every layer of the platform — from infrastructure and application design to access control and operational monitoring.

This section provides a technical overview for IT teams, administrators, and compliance officers evaluating or operating the Maecos platform.

Platform Architecture

Maecos is a unified SaaS platform with modular deployment options (Learning, Operations, or Combined). The technical stack consists of an F#/.NET backend and a React frontend, delivered as a single-page application.

Tenant isolation is a core design principle. Each customer runs in a dedicated container on AWS ECS (Fargate), with a dedicated database on an Aurora cluster. This means your data is logically and physically separated from other tenants at both the compute and storage layers. Backups are stored in per-tenant S3 buckets.

An optional Node-RED edge agent can be deployed on-premise to connect local IT/OT systems (e.g. PLCs, SCADA, historians) to the cloud platform via secure REST/HTTPS communication. Lambda functions handle specific processing tasks such as document conversion and scheduled jobs.

Hosting & Infrastructure

Maecos runs on AWS in the eu-west-1 (Ireland) region. The infrastructure follows AWS best practices for enterprise workloads:

• Environment separation — Production, staging, and testing environments use separate ECS clusters and database instances. No live customer data is ever used in development or test environments.

• Network security — All services run in private subnets within a VPC. Traffic enters through AWS WAF (with DDoS protection, IP rate limiting, and path filtering) and a load balancer. There is no internal office network; the entire infrastructure is cloud-only.

• Secrets management — Credentials, API keys, and other secrets are managed through AWS Secrets Manager, never stored in code or configuration files.

• Automatic patching — Infrastructure components are patched automatically. Application dependencies are reviewed and updated on a quarterly basis.

Encryption & Data Protection

• In transit — All communication is encrypted using TLS 1.2 or higher.

• At rest — All data at rest is encrypted using AES-256 with AWS KMS-managed keys, including databases, snapshots, and S3 storage.

Identity, Access & Role Management

Maecos provides enterprise-grade identity and access management:

• Single Sign-On (SSO) — Supports SAML, OIDC, and Azure AD out of the box. Custom identity provider integrations are available on request.

• Multi-Factor Authentication (MFA) — Available through your identity provider's MFA capabilities.

• Role-Based Access Control (RBAC) — Over 200 granular permissions, organised into configurable role templates (e.g. Operator, Trainer, Team Leader, LMS Admin). Roles are fully configurable per tenant.

• Automated permission assignment — Permissions can be linked to LMS skill qualifications, so completing a training course can automatically grant access to specific platform features.

• Session controls — Session timeout is configurable per tenant. IP whitelisting is possible via SSO integration.

• Audit trail — All login events, role changes, and permission modifications are logged and auditable.

Monitoring, Logging & Alerting

Maecos operates a full-stack monitoring setup to ensure availability and rapid incident detection:

• Monitoring — Logs, metrics, and traces from every container and Lambda function are collected via Datadog.

• Alerting — Alerts are routed to PagerDuty and Slack for immediate response.

• Application-level logging — A complete audit trail captures login events, role changes, and API calls.

• Retention — Logs are retained online for 30 days and archived in encrypted S3 buckets for longer-term storage.

Backup, Recovery & Business Continuity

Data resilience is built into the platform architecture:

• Backup strategy — 14 daily snapshots and 12 monthly snapshots, all encrypted using AWS KMS.

• Restore procedures — Validated on a yearly basis.

• Disaster Recovery — Primary RPO is under 1 minute (Aurora replication). Fallback RPO is up to 24 hours (snapshot-based). RTO is typically under 2 minutes for most failure scenarios and under 1 hour for extreme events.

• Multi-AZ failover — The platform is recoverable in alternate availability zones.

• Business continuity — Fully cloud-native and distributed; the platform operates independently of any physical office infrastructure.

DevSecOps & Development Security

Security is embedded in the development lifecycle:

• Code review — All pull requests require mandatory peer review covering security, functionality, and quality.

• Dependency scanning — Continuous CVE monitoring and license checks via Dependabot.

• Static code analysis — CodeQL and GitHub Advanced Security are integrated into the CI pipeline.

• Penetration testing — Automated basic testing is supplemented with regular purple teaming exercises and threat modelling.

• Environment isolation — Development and test environments use only anonymised or generated datasets. No live customer data is present outside production.

GDPR & Compliance

Maecos is actively working toward ISO 27001 compliance, with certification readiness targeted when requested by customers.

• GDPR rights — Data subject access, export, and deletion requests are supported upon written request. DPO-style procedures are in place for handling data subject requests.

• Data Protection Impact Assessments (DPIAs) — Conducted for major feature changes that affect personal data processing.

• Incident response — A formal incident response plan covers triage, escalation, root cause analysis, and notification within 72 hours where applicable.

Subprocessors

Maecos uses the following subprocessors for platform operations:

Governance

Maecos maintains a formal Information Security Policy, reviewed annually by the founders. All contractors sign NDAs and adhere to internal security policies. A central risk register is maintained, with risk assessments conducted for all new features and integrations.

For a detailed security and architecture overview document, or to schedule a technical deep-dive session, contact [email protected].