Overview
Avion takes security and data privacy very seriously. Keeping our customers' data protected at all times is our highest priority. This security policy provides a high-level overview of the security practices that we follow.
If you have any feedback or questions, please feel free to email us at support@avion.io
Data Privacy
Avion is fully compliant with the General Data Protection Regulation (GDPR). We follow the regulations outlined in the GDPR in order to protect the privacy of all our users and also give control over their personal data.
We will never send marketing material to anyone without explicit consent from them first.
Infrastructure
All of our services run in the cloud and we rely on Amazon Web Services (AWS) for our application infrastructure. This ensures that our infrastructure is fully compliant with the majority of security certifications. You can read about Amazon's security practices here.
We also use strong network security such as VPNs and IP restriction throughout our infrastructure.
Secure Development Practices
Our development team follow a set of industry best practices with regards to secure development. Below are some of the security practices we follow:
- All development adheres to the OWASP top 10 security standards
- Restricted access to source code repositories
- All code is peer-reviewed and pull requests must be approved
- 2FA applied on all third-party services (wherever supported)
- Secure login credentials management using password vaults for services (32-character length)
- Automated and manual penetration tests as part of our CI/CD processes
- We regularly update our dependencies and make sure none of them have known vulnerabilities
Encryption
All data is encrypted between client and server communications using TLS (SSL) and we also have HTTP Strict Transport Security (HSTS) with long duration deployed on any app server. In addition to this, all data is encrypted at rest. All passwords are hashed and salted.
You can view our SSL report here
Application Security
We make use of various industry best practices with regards to application and network-level security. Our technical architecture has been designed with security in mind, and we protect and monitor our network for unauthorised access using the following:
- DDoS protection at the datacenter level
- All servers use firewalls and only allow communication through required ports and IP addresses
- Detailed application logging and network monitoring
- Token-based authentication system that doesn't use session cookies
- Regular review of security headers
User Protection
- Advanced role-based access control (RBAC) is offered on all accounts and allows our users to review and change roles and permissions.
- Single sign-on (SSO) is offered for our enterprise customers.
Backups and Disaster Recovery
We keep point in time backups over the last 24 hours and daily, weekly and monthly database snapshots up to one year.
Employee access
Employees are not granted access to customer data unless it is required for customer support. Employees sign a non-disclosure agreement (NDA) to protect our customers' sensitive information.