At AVIR, we treat your data and operational integrity as mission-critical. Our platform is architected for high availability, robust failover, and end-to-end data protection. Security is embedded into every layer of our system—from infrastructure to codebase, user access to logging, and beyond.

🔧 Infrastructure & Hosting

Primary Cloud Provider: Amazon Web Services (AWS)
Regional Replication: Supabase (used for real-time sync and read replicas)

• Multi-Region Deployment: Application and database layers are deployed across multiple AWS regions with automated failover.

• Automated Backups: Daily encrypted backups of all databases and file systems, retained for a minimum of 30 days.

• Immutable Infrastructure: Changes to infrastructure are version-controlled and deployed via CI/CD pipelines.

• Environment Isolation:

  • Production is strictly isolated from staging and sandbox environments.

  • Access credentials, secrets, and API keys are managed per environment using AWS Secrets Manager.

🔒 Data Protection

• In Transit: TLS 1.2+ enforced across all endpoints, with HSTS and perfect forward secrecy.

• At Rest:

  • PostgreSQL instances use AES-256 encryption for all stored data.

  • S3 buckets store file assets with server-side encryption (SSE-S3).

  • Logs and backups are encrypted and stored with integrity protection.

• Access Controls:

  • Role-Based Access Control (RBAC) for both internal and customer-facing roles.

  • Admin and sensitive actions are recorded with immutable audit logs.

  • Principle of least privilege enforced across all systems.

👥 Authentication & Identity

• Password Security:

  • Minimum 8 characters, with at least one symbol and number.

  • Passwords are hashed using bcrypt with salt.

• Session Management:

  • Sessions automatically expire after 30 minutes of inactivity.

  • Secure HTTP-only cookies are used with same-site protection.

• Advanced Options:

  • Multi-Factor Authentication (MFA): Optional for all users; enforced for internal staff. (Enterprise-wide enforcement coming Q3 2025)

  • Single Sign-On (SSO): Available for enterprise customers via SAML 2.0 or OAuth2 integrations (Google Workspace, Azure AD, Okta).

🛡 Vulnerability Management

• Code Audits: All production code undergoes peer review with mandatory security scanning before deployment.

• Automated Scanning:

  • Snyk + Dependabot continuously monitor third-party dependencies for vulnerabilities.

  • CI pipeline blocks deploys if critical CVEs are present.

• Staging & Testing:

  • Staging environments are fully isolated and do not use production data.

  • Migration customers are onboarded into isolated test environments prior to go-live.

• Penetration Testing:

  • An independent third-party pentest is scheduled for Q3 2025, with results available to enterprise clients under NDA.

📢 Responsible Disclosure Policy

We value the security research community and encourage responsible reporting of any vulnerabilities or security flaws.

• Contact: security@avir.space

• Please do not publicly disclose issues before coordinated resolution.

• We offer:

  • Public acknowledgment (with consent)

  • Early access to beta features

  • AVIR merch or other rewards on a case-by-case basis

🔍 Monitoring, Logging & Incident Response

• Uptime Monitoring: 24/7 active monitoring via UptimeRobot and Sentry.

• Log Management:

  • All critical application and infrastructure events are logged in real time.

  • Logs are stored securely and are tamper-resistant (using append-only storage).

• Real-Time Alerts:

  • Alerts for suspicious activity (e.g., excessive failed login attempts, privilege escalation) are automatically routed to our incident response team.

• Incident Playbooks:

  • Our team follows a documented Security Incident Response Plan (SIRP).

  • Incidents are reviewed and post-mortems are shared internally within 48 hours.

🧬 Compliance Roadmap

AVIR is committed to building a globally compliant platform that meets enterprise and regulatory standards.

Currently in progress: