Enterprise-grade security. Verified in real time.

Authentication & Access

Every person and system accessing Avala infrastructure uses unique credentials. We enforce multi-factor authentication for all remote access, and SSH keys for production systems. No shared accounts, no exceptions. Access follows least-privilege principles: production systems, databases, networks, and encryption keys are restricted to personnel with a documented business need. We review access quarterly and revoke it immediately upon termination.

Network Security

Our network is segmented to isolate customer data. Firewalls are configured to deny by default and reviewed annually. We run intrusion detection systems that monitor for anomalies 24/7 and alert our security team to potential breaches.

Encryption

All data is encrypted at rest and in transit. Encryption keys are managed with strict access controls—only a small number of authorized personnel can access them, and all access is logged.

Governance

Security isn't just an engineering function—it's a board-level priority. Our board receives annual briefings on cybersecurity posture and risk. Management roles and responsibilities for security are formally defined, and we maintain clear reporting lines for security decisions.

Employee Security

Every employee signs a confidentiality agreement and code of conduct before starting. Security awareness training is required within 30 days of hire and annually thereafter. Contractors are held to the same standards.

Asset Management

We maintain a complete inventory of production assets. When hardware is decommissioned, it's securely wiped or destroyed with certified documentation. Customer data is classified and handled according to its sensitivity level.

Continuous Testing

We conduct annual penetration tests and remediate findings according to defined SLAs. Vulnerability scans run continuously, and we perform control self-assessments to verify our defenses work as designed.

Incident Response

Our incident response plan is documented, tested annually, and includes clear escalation paths. Security and privacy incidents are logged, investigated, and communicated to affected parties according to regulatory requirements.

Risk Management

We assess security risks annually, including environmental, regulatory, and technological threats. Identified risks are rated by severity and addressed with documented mitigation strategies. We carry cybersecurity insurance to limit financial exposure.

Operations & Resilience

Disaster recovery and business continuity plans are documented and tested. All production changes go through formal review—authorized, tested, and approved before deployment.

Retention & Deletion

We retain customer data only as long as needed to provide our services. When you leave Avala, your data is purged from our systems according to documented procedures. You can request deletion at any time.

Classification

Data is classified by sensitivity and handled accordingly. Confidential information is restricted to authorized personnel and protected with appropriate controls.

Portability

You own your data. Export datasets and annotations in standard formats anytime. No lock-in.

Subprocessors

We maintain a list of third-party services that process customer data, available on request.