Overview
Avion takes security and data privacy very seriously. Keeping our customers' data protected at all times is our highest priority. This page provides a high-level overview of the security practices we follow.
If you have any questions or would like to request our full security documentation, please email us at support@avion.io
Data Privacy
Avion is fully compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We follow the principles of data minimisation, purpose limitation, and privacy by design across our platform and internal processes.
James Sear is Avion's designated data protection lead, responsible for regulatory compliance, data subject requests, and breach notification. Data subject access requests and other privacy enquiries can be submitted to security@avion.io and will be responded to within the statutory 30-day timeframe.
We will never send marketing material to anyone without their explicit consent.
Infrastructure
All of our services run in the cloud. We use Amazon Web Services (AWS) as our primary infrastructure provider, with EU customer data hosted in the EU (Frankfurt) region and our US cloud offering hosted in the US (Ohio) region. AWS data centres are ISO 27001 certified. You can read about Amazon's security practices here.
Our database infrastructure runs on MongoDB Atlas, with point-in-time recovery and automated backups. Infrastructure configuration is documented and version-controlled, and all changes to production systems are made through our CI/CD pipeline rather than by manual intervention.
We use AWS security groups and network access control lists to restrict traffic to only what is required. Services and ports are not exposed to the public internet unless necessary, and IP allowlisting is applied to infrastructure access.
Secure Development Practices
Our development process is built around secure-by-default principles, aligned with the OWASP Top 10 and OWASP Application Security Verification Standard (ASVS). Our practices include:
- All development follows OWASP Top 10 security standards
- All code is peer-reviewed via GitHub Pull Requests and must be approved before merge
- All changes are tested in a dedicated staging environment before production deployment
- Automated dependency vulnerability scanning (yarn audit) runs on every build
- Periodic manual penetration testing targeting the platform and infrastructure
- All credentials managed via a dedicated password manager with strong unique passwords and MFA on all accounts
- Dependencies are regularly reviewed and updated to ensure no known vulnerabilities are present
Encryption
All data in transit between client and server is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is deployed on all application servers. All data is encrypted at rest. All passwords are hashed and salted.
You can view our SSL report here
Application Security
Our technical architecture has been designed with security in mind. We protect and monitor our infrastructure using a layered defence-in-depth approach, including:
- AWS CloudWatch for log aggregation, monitoring, and anomaly detection alerting
- File integrity monitoring (Tripwire) on server instances
- Malware detection (MALDET) on server instances
- Firewalls and security groups restricting communication to required ports and IP addresses only
- Token-based authentication that does not use session cookies
- Regular review of security headers
- Detailed application and access logging, retained for a minimum of one year
User Protection
- Advanced role-based access control (RBAC) is available on all accounts, allowing administrators to review and manage user roles and permissions
- Single sign-on (SSO) is available for Enterprise customers
- Multi-factor authentication (MFA) is available and recommended for all users
Backups and Disaster Recovery
We maintain point-in-time backups over the last 24 hours, and daily, weekly, and monthly database snapshots retained for up to one year. All backups are encrypted at rest and stored in geographically separate locations.
Avion maintains a documented Disaster Recovery Plan with a recovery time objective (RTO) of four hours and a recovery point objective (RPO) of 24 hours. Both founders are fully capable of executing the plan independently.
Incident Response
Avion maintains a documented Incident Response Policy covering detection, containment, eradication, recovery, and post-incident review. Security incidents are classified by severity with defined response timelines.
In the event of a confirmed personal data breach, Avion will notify affected Enterprise customers within 72 hours of becoming aware, and will report to the ICO where required under UK GDPR.
Security vulnerabilities can be reported to us at security@avion.io. We acknowledge all disclosures within five business days and handle them in good faith.
Access Control
Access to Avion's systems and customer data follows the principle of least privilege. Access to production systems is restricted to the founding team and is not granted to third parties on a standing basis. All access to production infrastructure is protected by MFA and strong unique credentials managed via a password manager.
Access rights are reviewed at least annually. When any individual's access is no longer required, it is revoked within 24 hours.
Employee Access to Customer Data
Avion staff do not access customer data unless required for a specific support purpose. Where access to customer data is required, it is logged with the reason and the individual who accessed it. All individuals with access to Avion systems are subject to confidentiality obligations.
Enterprise Security
Enterprise customers receive additional security provisions including:
- A full Data Processing Agreement (DPA) covering UK GDPR obligations, sub-processor disclosure, breach notification timelines, and international transfer safeguards
- An uptime SLA of 99.9% with service credits
- Dedicated account management and Slack Connect support channel
- The option to configure Customer Managed Encryption Keys (CMKs) via AWS KMS for an additional layer of encryption on your data
- Access to Avion's security documentation including penetration testing summaries, policy documentation, and responses to security questionnaires