Avila's controls have been independently audited against the AICPA Trust Services Criteria for Security. Our latest SOC 2 Type II report is available to current and prospective customers under NDA.
Request the SOC 2 ReportAll data moving between customer browsers and Avila's services is encrypted using TLS 1.2 or higher. HTTPS is enforced across all endpoints.
Customer data stored in Avila's databases, object storage, and backups is encrypted at rest using AES-256 or provider-managed equivalents.
Production encryption keys and access secrets are managed through a dedicated key management service with restricted access and rotation policies.
MFA is required for all employees accessing production systems and internal tools that handle customer data.
Production access is restricted to the smallest set of employees required to operate the service. Access is provisioned by role and reviewed quarterly.
Automatic session timeouts are enforced across internal tools. Passwords must meet strong complexity requirements and are never stored in cleartext.
Avila is hosted on Microsoft Azure, which maintains its own SOC 2, ISO 27001, and FedRAMP certifications. We rely on Azure's physical security, network isolation, and DDoS protections at the infrastructure layer.
Production databases are backed up on a regular schedule. Backup restoration is tested to confirm recoverability.
Core services are deployed across multiple availability zones so that a single-zone failure does not disrupt customer access.
Every code change goes through peer review and automated testing before it reaches production. Development, staging, and production environments are separated.
Dependencies are continuously scanned for known vulnerabilities. Static application security testing (SAST) runs against every pull request. Patches are prioritized by severity.
Independent penetration testing is performed annually. Findings are tracked to closure and re-tested where applicable.
Production systems emit centralized logs and metrics. Alerts are configured for unusual activity, security-relevant events, and capacity thresholds.
Avila maintains a documented incident response plan. On-call engineers are equipped to triage and respond, and customers are notified of incidents that materially affect them.
Business continuity and disaster recovery plans are documented and reviewed annually. Backup and failover procedures are exercised.