At Avrio we take the responsibility of protecting your data very seriously. We have certifications, processes, and audits in place to systematically help ensure the safe and secure use of our service for everyone.
Take a look under the hood into our security policies and documentation.
Avrio hosts all its software in Amazon Web Services (AWS) facilities in the EU. We make use of the security products embedded within the AWS ecosystem, including Web Application Firewall, Identity and Access Management, and CloudTrail.
In addition, we deploy our application using containers run on AWS-managed services, meaning we typically do not manage servers or EC2 instances in production.
All team members are trained for security during onboarding and annually refreshed. Access to customer data is limited to authorized team members who require it for operational and maintenance activities only.
Confidentiality agreements are signed by all employees and contractors of the company and background checks are performed for all new team members.
Avrio conducts application penetration testing by a third-party at least annually in addition to Avrio's continued internal testing and review program.
Avrio also uses high-quality static application security testing provided by Gitlab to secure our product at every step of the development process.
Design of all new product functionality is reviewed for security impact, with Avrio conducting mandatory code reviews for all changes to the code. Avrio development and testing environments are separate from its production environment. All code development is done through a standard process.
All of our production infrastructure is built with redundancies in place, in highly-available configurations spread over three different availability zones in the eu-west-1 AWS region and we have established incident response and disaster recovery plans in place.
All systems access is regularly reviewed and access is granted with the principle of least privilege.
All customer data is encrypted in transit via TLS 1.2 and at rest with AES-256 encryption. We rely on AWS infrastructure to securely maintain our cryptographic encryption keys.
All our services are GDPR & CCPA compliant and we have a transparent privacy and cookie policy available on our site. Data retention procedures are established and we have a data management policy reviewed and accepted by all team members during onboarding.
Avrio securely processes all payments via Stripe. Stripe is certified as a PCI Level 1 Service Provider.
Avrio is SOC 2 Type I compliant. We use Vanta to continuously monitor and manage our security and compliance and are currently under observation for SOC 2 Type II. A Trust Report can be provided upon request.
Avrio complies with all applicable data privacy regulations. Learn more about our GDPR compliance posture here.
