HomeSign inGet started
Legal

Security

Last updated: June 22, 2026Effective: June 22, 2026
Security is foundational to Avalon. This page summarizes the technical and organizational measures we use to protect your data. For how we handle personal data, see our Privacy Policy; for processor commitments, see our DPA.

1.Overview

We design the Service to keep each customer's data isolated, encrypted, and accessible only to authorized users. We follow defense-in-depth principles and continually improve our controls.

2.Data protection

  • Encryption in transit using TLS for all connections to the Service.
  • Encryption at rest for stored data, including the database and backups.
  • Strict multi-tenant isolation so one customer's data is logically separated from another's.
  • Token handling — we connect to platforms via OAuth and never store your platform passwords; access and refresh tokens are stored securely and scoped to your account or organization.

3.Access control

  • Least-privilege access to production systems, granted only to personnel who need it.
  • Authentication with support for strong passwords, OAuth sign-in, and two-factor authentication for accounts.
  • Role-based access within organizations and workspaces, with administrator controls over membership and connected platforms.

4.Connected platforms & authentication

Connections to Google, Meta, TikTok, LinkedIn, and Google Analytics use official OAuth authorization flows. We request only the scopes needed to provide the Service, and our use of platform data complies with each platform's API and data-use policies, including the Limited Use requirements of the Google API Services User Data Policy. You can revoke a connection at any time.

5.Infrastructure

The Service runs on reputable cloud infrastructure (including Vercel and Microsoft Azure) with provider-managed physical security, network controls, and redundancy. See our Subprocessors page for the providers we use.

6.Monitoring & resilience

  • logging and monitoring of system and security events;
  • automated backups and recovery procedures for critical data;
  • background job processing with queue isolation for data sync; and
  • an incident response process to detect, contain, investigate, and remediate security events, and to notify affected customers without undue delay where required.

7.Compliance

We align our program with recognized industry frameworks and pursue independent assessments, including SOC 2, as our program matures. We support customers' compliance with GDPR, CCPA/CPRA, Colombia's Ley 1581, and Brazil's LGPD through the commitments in our Privacy Policy and DPA. Current certification status and reports are available to customers on request, under NDA where applicable.

8.Shared responsibility

Security is a shared responsibility. We secure the platform; you are responsible for safeguarding your credentials, enabling two-factor authentication, managing who has access to your workspace, and authorizing only platform connections you are entitled to make.

9.Reporting a vulnerability

We welcome good-faith security research. If you believe you have found a vulnerability, please report it privately to security@avaloncol.com and give us a reasonable opportunity to remediate before any public disclosure. Do not access or modify data that is not yours, degrade the Service, or run automated testing that disrupts operations. We will acknowledge valid reports and will not pursue action against researchers who act in good faith and within these guidelines.