AICPA
SOC 2
TYPE II

SOC 2 Type II

Avila's controls have been independently audited against the AICPA Trust Services Criteria for Security. Our latest SOC 2 Type II report is available to current and prospective customers under NDA.

Request the SOC 2 Report

Data Protection

Encryption in transit

All data moving between customer browsers and Avila's services is encrypted using TLS 1.2 or higher. HTTPS is enforced across all endpoints.

Encryption at rest

Customer data stored in Avila's databases, object storage, and backups is encrypted at rest using AES-256 or provider-managed equivalents.

Key management

Production encryption keys and access secrets are managed through a dedicated key management service with restricted access and rotation policies.

Access Controls

Multi-factor authentication

MFA is required for all employees accessing production systems and internal tools that handle customer data.

Least-privilege access

Production access is restricted to the smallest set of employees required to operate the service. Access is provisioned by role and reviewed quarterly.

Session controls

Automatic session timeouts are enforced across internal tools. Passwords must meet strong complexity requirements and are never stored in cleartext.

Infrastructure & Resilience

Cloud infrastructure

Avila is hosted on Microsoft Azure, which maintains its own SOC 2, ISO 27001, and FedRAMP certifications. We rely on Azure's physical security, network isolation, and DDoS protections at the infrastructure layer.

Backups

Production databases are backed up on a regular schedule. Backup restoration is tested to confirm recoverability.

High availability

Core services are deployed across multiple availability zones so that a single-zone failure does not disrupt customer access.

Application Security

Secure development

Every code change goes through peer review and automated testing before it reaches production. Development, staging, and production environments are separated.

Vulnerability management

Dependencies are continuously scanned for known vulnerabilities. Static application security testing (SAST) runs against every pull request. Patches are prioritized by severity.

Penetration testing

Independent penetration testing is performed annually. Findings are tracked to closure and re-tested where applicable.

Operational Security

Monitoring & logging

Production systems emit centralized logs and metrics. Alerts are configured for unusual activity, security-relevant events, and capacity thresholds.

Incident response

Avila maintains a documented incident response plan. On-call engineers are equipped to triage and respond, and customers are notified of incidents that materially affect them.

Business continuity

Business continuity and disaster recovery plans are documented and reviewed annually. Backup and failover procedures are exercised.

People & Vendors

Personnel security

  • Background checks required for all employees
  • Confidentiality agreements on hire
  • Annual security awareness training
  • Access revoked immediately on termination

Vendor management

  • Subprocessors reviewed before onboarding
  • Data-processing agreements in place where applicable
  • Full subprocessor list available on request

Policies & governance

  • Information security, access control, and incident response policies documented
  • Policies reviewed and acknowledged annually
  • Named security officer accountable for the program