Airtool is a Deister Software project. The trust posture is inherited and extended.

Airtool is a Deister Software project.

Airtool is the enterprise application platform built by Deister Software, the corporate entity that holds the certifications referenced on this page. The engineering team that authors and operates Airtool is the same team that holds the ISO/IEC 27001:2023 and ENS Medium certifications and that runs the production hosting estate.

This page describes the corporate trust posture inherited from Deister Software, the deployment-specific trust mechanisms unique to Airtool (AWS hosting for SaaS, survival rights on on-prem, source-available Apps), and the customer-ownership model that makes long-horizon platform decisions defensible to procurement and audit.

Three deployment models, three trust profiles.

SaaS on AWS — Airtool SaaS runs on AWS infrastructure operated by the Deister Software platform team. The customer inherits AWS's posture at the infrastructure layer (ISO 27001, SOC 2 Type II, ISO 27017, ISO 27018, PCI DSS, GDPR-aligned controls) and the Deister Software posture at the platform layer (ISO 27001, ENS Medium, GDPR). EU customers are placed in EU regions ; regional placement is scoped per engagement and recorded in the master service agreement.

On-prem — customer infrastructure, customer operations. Data resides on the customer's storage, on the customer's network, behind the customer's perimeter. The platform team has no operational access beyond the contractually-defined support paths. If the subscription lapses, the deployed runtime continues to run on customer infrastructure indefinitely — applications keep serving users, integrations keep firing, the data stays where it always was.

AWS Marketplace AMI — coming soon. The self-serve path on AWS infrastructure, launched on the customer's own AWS account. The customer's AWS posture and the customer's data residency choice apply ; the Deister Software platform-layer posture applies to the AMI image itself.

Customer ownership — what survives, in every model.

Your data, on your storage. On-prem makes this explicit ; on SaaS, customer data is stored in named EU regions on customer-scoped logical isolation, with the Data Processing Addendum reflecting GDPR Article 28 obligations.

Survival rights on the deployed runtime. If you stop paying for an on-prem subscription, the runtime continues to run on your infrastructure indefinitely. There is no licence-check phone-home, no time-bomb, no remote kill-switch on the application that was deployed. The subscription buys updates, AI features, support and monitoring — not the right to operate.

The Apps suite is source-available. ERP, CRM, HR and PM ship with their source readable, forkable and extensible under the source-available licence. Customers running these Apps have, by construction, an exit option that does not depend on Deister Software's continued existence.

Source-code escrow on enterprise platform contracts. A third-party source-code escrow (Iron Mountain, NCC Group, Praxis or similar) is available on enterprise contracts for procurement teams that require a belt-and-braces guarantee on the Platform layer in addition to survival rights.

External infrastructure audits.

Quarterly external infrastructure audits are conducted by mdtel / SECUNIT, an independent Spanish security operations centre. Each cycle covers external network exposure mapping, service and version fingerprinting, TLS configuration and certificate hygiene, HTTP security header review, web application surface analysis, web application firewall coverage, and inventory of information disclosure indicators.

Each finding is severity-rated against a published rubric. A remediation plan is produced, tracked and validated at the next quarterly cycle. The auditor and the cycle are public ; the findings themselves are confidential to the audit relationship and available under NDA to qualified procurement and security teams conducting due diligence.

Privacy and data protection.

Deister Software processes customer personal data as a processor under contract, in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation) and Spanish Organic Law 3/2018 on personal data protection and digital rights.

The Data Processing Addendum reflecting GDPR Article 28 obligations is incorporated into the master service agreement signed with every cloud and SaaS customer. A standalone template, suitable for procurement review ahead of contract, is included in the evidence pack available under NDA.

The Data Protection Officer function is reachable at dpo@deister.es. Subject-access, rectification, erasure and portability requests routed through this mailbox are acknowledged within seventy-two hours and resolved within thirty calendar days, in line with GDPR Article 12.

The data controllers for the Deister Software group are the legal entities named on the ISO 27001 certificate (Spain and Peru). The registration data of each entity is published in the corresponding national commercial register and is referenced in the master service agreement at signature.

Vulnerability disclosure.

Coordinated security disclosures are welcome from researchers, customers and partners. The published security contact is security@deister.es. A signed PGP key is published at the canonical security.txt location, /.well-known/security.txt, in line with RFC 9116.

Service-level commitments — new reports are acknowledged within one working day ; triage and severity assignment complete within five working days ; critical-severity findings under active exploitation are routed to incident response immediately, and the customer base is notified within seventy-two hours of confirmation, in line with GDPR Article 33.

Safe-harbour. Good-faith research conducted under the published disclosure policy — proportionate testing, no data exfiltration, no service disruption, no third-party impact — will not be pursued. Researchers acting in good faith are credited in the disclosure record at their election.

Page status

This page is reviewed quarterly and after any material change to the certified scope, the sub-processor register or the disclosure programme. Page last reviewed 19 May 2026. Next scheduled review 19 August 2026.

Machine-readable security contact at /.well-known/security.txt (RFC 9116). Security mailbox : security@deister.es. Data protection mailbox : dpo@deister.es.