Trust Center
Avnology ID's security practices, compliance attestations, and privacy commitments.
Trust Center
Avnology ID handles your customers' identities. We take the responsibility seriously. This page is the single source of truth for how we protect data, what certifications we hold, and how we respond when things go wrong.
Status
- Current status:
status.avnology.com - Incident history:
status.avnology.com/history - Subscribe to updates:
status.avnology.com(email, RSS, webhooks)
Certifications & attestations
| Framework | Status | Evidence |
|---|---|---|
| SOC 2 Type II | Attested annually | Download report (requires NDA for gated customers) |
| ISO 27001 | In progress -- target Q3 2026 | Audit kick-off Q2 2026 |
| GDPR | Compliant | GDPR summary |
| CCPA / CPRA | Compliant | See below |
| HIPAA | Not supported in v1 -- enterprise roadmap | -- |
Security
Defense-in-depth across every layer: FIDO2 passkeys, Argon2id hashing, breached-password detection, TLS 1.3, full audit log, SOC 2 controls. See Security practices for the full list.
Report a vulnerability
We run a responsible-disclosure program. Email [email protected] with a PGP-encrypted description of the issue. We acknowledge within 48 hours and aim to triage within 5 business days.
The discovery signing key is published at:
<Domain id="docs"/>/.well-known/security.txt- Key fingerprint available via
GET /.well-known/security.txton the gateway (same content).
Privacy
GDPR
We process personal data on your behalf as a Processor under Article 28. The data processing addendum is available to all paid customers -- request via [email protected].
User-facing GDPR endpoints:
- Access / export (Art. 15):
POST /v1/privacy:exportMyData. - Erasure (Art. 17):
POST /v1/privacy:requestAccountDeletion. - Rectification (Art. 16): standard account settings.
- Portability (Art. 20): the data export format is JSON + JSON-LD annotated.
See GDPR for the full summary.
CCPA / CPRA
California residents have the right to know what personal information we collect, the right to delete that information, and the right to opt out of "sale" (we don't sell personal information, but we honour the flag for tracking interop with downstream processors). Exercise these rights via:
POST /v1/privacy:optOutOfSalePOST /v1/privacy:exportMyDataPOST /v1/privacy:requestAccountDeletion
Or email [email protected].
Data residency
Managed tenants are served from:
- US-East (Virginia) -- default for North American sign-ups.
- EU-West (Frankfurt) -- default for EU sign-ups, GDPR-compliant by default.
Additional regions on the roadmap. Self-hosted customers control residency entirely.
Sub-processors
Avnology's managed service uses a small number of sub-processors:
| Processor | Purpose | Location |
|---|---|---|
| AWS | Hosting, S3 object storage | US-East-1, EU-Central-1 |
| Cloudflare | CDN, DDoS, WAF | Global |
| SendGrid | Transactional email | US |
| Twilio | SMS delivery (optional) | US |
| Datadog | Observability | US |
Full list + current sub-processor changes are maintained at /docs/trust/sub-processors (email subscribe to be notified 30 days before any change).