Avsentia
Trust Center

Security at Avsentia

We help organizations build resilience — so our own platform must lead by example. Here is how we protect your data and maintain the security of the Avsentia platform.

SOC 2 In Progress
AES-256 Encryption
Zero Persistent BC/DR Storage

Our Core Data Principle

Avsentia does not store customer BC/DR plans by default. Plans generated through Dave are session-only — when your session ends, the output is not retained on our servers. This is a deliberate architectural choice that dramatically reduces your data exposure risk. Offsite storage is available as an explicit, paid opt-in for organizations that need it.

SOC 2 Compliance

Trust Services Criteria implementation status

Audit in preparation
CC6

Access Control

MFA enforced for all admins; user TOTP enrollment available

In Progress
CC7

System Operations

Sentry + Vercel + Supabase audit logs; IRP documented

In Progress
CC8

Change Management

PR-required GitHub workflow; branch protection enabled

In Progress
CC9

Vendor Management

All vendors SOC 2 Type II certified; reports on file

Complete
C1

Confidentiality

No persistent BC/DR plan storage by default; AES-256 at rest

Complete
A1

Availability

99.9% SLA target; RPO < 1hr, RTO < 4hr

In Progress
P1-P8

Privacy

Privacy Policy published; CCPA/GDPR data subject rights process in place

In Progress

Formal SOC 2 Type I audit is planned. Enterprise customers may request our security documentation package by contacting security@avsentia.com.

Encryption Standards

All data is encrypted in transit and at rest using industry-standard algorithms.

Data TypeMethodDetails
Data in TransitTLS 1.2+Enforced by Vercel edge network on all connections
Data at RestAES-256Supabase/PostgreSQL managed encryption
PasswordsbcryptNever stored in plaintext; hashed via Supabase Auth
API SecretsEnv vaultAll secrets stored in Vercel encrypted environment variables — never in source code
Session TokensJWT (HS256)Short-lived tokens with automatic expiry and rotation

Access Controls

Layered access controls enforce least-privilege access across the entire platform.

  • Multi-factor authentication (TOTP) required for all admin accounts — Vercel, Supabase, Stripe, GitHub
  • TOTP enrollment available for all platform users via account settings
  • Principle of least privilege — users access only data scoped to their account (Supabase Row Level Security)
  • Service account secrets stored exclusively in encrypted environment variable vaults
  • Access reviews conducted quarterly; departing employee access revoked within 24 hours
  • All production changes require peer-reviewed Pull Request — no direct pushes to main branch

Sub-Processor Security

Every vendor with access to our infrastructure or customer data holds a current SOC 2 Type II certification.

Vercel

Hosting / CDN / CI-CD

SOC 2 Type II

Supabase

Database / Auth / Storage

SOC 2 Type II

Stripe

Payment Processing

SOC 2 Type II + PCI DSS Level 1

OpenAI

AI / LLM (Dave)

SOC 2 Type II

Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities in the Avsentia platform. If you believe you have found a security issue, please report it to us privately before public disclosure.

Email: security@avsentia.com
We acknowledge reports within 48 hours and provide status updates within 7 days.
Please include: description, reproduction steps, potential impact, and any proof-of-concept.

Please do not access customer data, disrupt production services, or publicly disclose findings before coordinating with us. We commit to no legal action against good-faith researchers.

Security Team

security@avsentia.com

Enterprise customers may request our full security documentation package, SOC 2 reports from our vendors, and a security questionnaire response.

System Status Monitoring Privacy Policy