SEC
Platform · Security

SECURITY-FIRST
ARCHITECTURE.

Avrenix operates on critical energy infrastructure, so this page holds to one rule: every claim maps to something real. The application-layer controls below — authentication and SSO, encryption of sensitive fields, security headers, role-based access, and an internal operator audit — are implemented in code you can verify. Infrastructure protections are provided by the deployment and labelled as such. We do not claim certifications we do not hold.

MFA
RFC 6238 TOTP
SSO
OIDC + SAML 2.0
HSTS + CSP
Security headers
Field-level
Authenticated encryption
Certifications & audits

WHAT WE HOLD — AND WHAT WE DON'T.

We'd rather tell you what's true than badge what isn't. Avrenix does not currently hold SOC 2, ISO 27001, or a third-party penetration-test attestation, and no external audit is in progress today. What we do have is a set of real, code-level security controls — listed below — that you can verify in a technical review. If we begin a formal certification, this page will say so, with dates, not before.

SOC 2 TYPE II
Not certified

Not currently held and not under audit. We'll publish a timeline here if and when an engagement begins.

ISO 27001
Not certified

Not currently held, and no registration audit is in progress today. Not claimed.

EXTERNAL PEN TEST
Not conducted

No third-party penetration test has been performed, so we don't claim one. Technical security reviews with prospects are welcome.

Implemented — in the application code

CONTROLS IN THE CODE TODAY.

Every row here is application-layer code, verifiable in a technical review. Infrastructure protections follow in a separate Deployment section — provided by the host, not the app.

Authentication & Access
Multi-factor auth TOTP MFA (RFC 6238) available to every user — authenticator-app enrolment via a standard otpauth:// URI, single-use recovery codes stored hash-only, and progressive lockout on failed attempts. Password login uses bcrypt with constant-time verification. Organisation-wide enforcement is planned. Implemented
SSO — OIDC & SAML 2.0 OpenID Connect (Authorization Code + PKCE; ID tokens verified against the provider's JWKS) and SAML 2.0 (assertions validated by a vetted library, python3-saml / xmlsec — signature, audience, conditions and replay all enforced). Works with Okta, Azure AD, Google Workspace, and any standards-compliant provider. SSO users bind to your organisation as members; the OIDC/SAML secret is encrypted at rest. Implemented
Role-based access Organisation roles — Owner, Admin, Member, Viewer — enforced server-side by a single default-deny access check. Owners configure Admin and Member permissions within anchored bounds: a Viewer is always read-only, an Owner always full control. Access is enforced on the server, not just hidden in the interface. Implemented
Encryption & Transport
Sensitive-field encryption Recoverable secrets that can't be one-way hashed — TOTP seeds and SSO client/SP secrets — are encrypted at the application layer with authenticated encryption (Fernet: AES-128-CBC + HMAC-SHA256), keyed from a secret held outside the codebase. Each value is integrity-checked on read; a tampered ciphertext is rejected, never silently trusted. Implemented
Security headers The application emits HSTS (max-age 1 year, includeSubDomains) on HTTPS responses, plus a full header set on every response: Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, and Permissions-Policy. Implemented
Isolation & Audit
Organisation data isolation Every request resolves through one organisation-membership access check (default-deny). A caller only ever reaches resources their organisation owns; cross-organisation access is refused, and a non-member gets an indistinguishable “not found” response, so account existence can't be probed. Implemented
Internal operator audit Avrenix operators have an admin-only audit of per-organisation activity — action metadata and health signals only — with a hard boundary enforced in code: it never records customer business content, engine inputs, or the contents of Chai conversations. Monitoring, not surveillance. Implemented
Provided by the deployment

INFRASTRUCTURE — HONESTLY SCOPED.

These protections come from the host and deployment environment, not from application code — so we label them Deployment, not “Implemented.” They are the recommended posture for running Avrenix; we don't assert a specific provider, region, or appliance that isn't provisioned for a given deployment.

TLS 1.3 (transport) Run behind a TLS-terminating host or proxy configured for TLS 1.3 (1.2 minimum; older rejected). The application emits HSTS so clients refuse plaintext, but the version floor is enforced at the proxy — not in app code. Deployment
Disk / database encryption Provision encrypted volumes and a database with at-rest encryption enabled. The app encrypts specific sensitive fields (above); full-volume and database at-rest encryption is an infrastructure control. Deployment
Key management Encryption keys are supplied to the app via environment secrets held outside the repository. A managed KMS with an automated rotation policy is the recommended deployment posture. Deployment
Data residency Data resides wherever the deployment is hosted — deploy in the region your compliance requires. We do not claim specific pre-provisioned regions. Deployment
Network perimeter Recommended: private subnets, default-deny security groups, a WAF on public endpoints, and managed DDoS protection — all provided by the hosting environment. Deployment
Commitments

WHAT WE COMMIT TO.

These are policy commitments, not code — how we promise to act, stated plainly.

Breach notification We commit to notifying affected customers within 72 hours of a confirmed breach and delivering a full incident report within 30 days, following GDPR-aligned procedures for EU data subjects. Commitment
Responsible disclosure Report a suspected vulnerability through our contact page. We commit to acknowledging your report promptly and keeping you informed through to resolution. Commitment
Data processing (DPA) A Data Processing Agreement is available to all customers and required for EU operators — covering lawful basis under GDPR, sub-processors, Standard Contractual Clauses for EEA transfers, data-subject rights, and deletion/portability. Request it via our contact page. Commitment
Enterprise security

ADDITIONAL CONTROLS
FOR ENTERPRISE.

Enterprise customers receive enhanced security controls and direct access to security documentation for their procurement and compliance processes.

SAML / OIDC SSO

Federated identity with your existing IdP — Okta, Azure AD, Google Workspace, or any standards-compliant SAML 2.0 / OIDC provider. Your organisation's owner configures it; SSO users join as members.

Configurable roles & permissions

Owner-defined permissions for Admins and Members, within anchored bounds a Viewer can never exceed — enforced server-side on every request.

Regional deployment DEPLOYMENT

Deploy in the region your compliance requires; data stays where it's hosted. A deployment choice, not a pre-provisioned claim.

Security review & DPA

We'll walk your team through the implemented controls in a technical review, and provide the Data Processing Agreement under NDA. We share only what's real — no pen-test or certification artefacts we don't have.

DATA PROCESSING AGREEMENT

A Data Processing Agreement (DPA) is available for all customers and required for EU-based operators. The DPA covers:

Lawful basis for processing under GDPR
Sub-processor list and notification procedures
Standard Contractual Clauses for EEA transfers
Data subject rights procedures
Deletion and portability commitments

Request the DPA or a security review via our contact page.

UPTIME & AVAILABILITY · DEPLOYMENT

Avrenix is designed to run on redundant, multi-AZ cloud infrastructure with automated failover and health monitoring — delivered by the deployment environment. Live operational status is published on our status page. Any availability commitment is set by the deployment environment and the specific customer agreement — we don't publish a fixed SLA figure we don't yet stand behind.

QUESTIONS ABOUT SECURITY?
TALK TO US DIRECTLY.

Enterprise security reviews supported. Documentation available under NDA. We're available for technical conversations before you commit.