We'd rather tell you what's true than badge what isn't. Avrenix does not currently hold SOC 2, ISO 27001, or a third-party penetration-test attestation, and no external audit is in progress today. What we do have is a set of real, code-level security controls — listed below — that you can verify in a technical review. If we begin a formal certification, this page will say so, with dates, not before.
Not currently held and not under audit. We'll publish a timeline here if and when an engagement begins.
Not currently held, and no registration audit is in progress today. Not claimed.
No third-party penetration test has been performed, so we don't claim one. Technical security reviews with prospects are welcome.
Every row here is application-layer code, verifiable in a technical review. Infrastructure protections follow in a separate Deployment section — provided by the host, not the app.
otpauth:// URI, single-use recovery codes stored hash-only, and progressive lockout on failed attempts. Password login uses bcrypt with constant-time verification. Organisation-wide enforcement is planned.
Implemented
These protections come from the host and deployment environment, not from application code — so we label them Deployment, not “Implemented.” They are the recommended posture for running Avrenix; we don't assert a specific provider, region, or appliance that isn't provisioned for a given deployment.
These are policy commitments, not code — how we promise to act, stated plainly.
Enterprise customers receive enhanced security controls and direct access to security documentation for their procurement and compliance processes.
Federated identity with your existing IdP — Okta, Azure AD, Google Workspace, or any standards-compliant SAML 2.0 / OIDC provider. Your organisation's owner configures it; SSO users join as members.
Owner-defined permissions for Admins and Members, within anchored bounds a Viewer can never exceed — enforced server-side on every request.
Deploy in the region your compliance requires; data stays where it's hosted. A deployment choice, not a pre-provisioned claim.
We'll walk your team through the implemented controls in a technical review, and provide the Data Processing Agreement under NDA. We share only what's real — no pen-test or certification artefacts we don't have.
A Data Processing Agreement (DPA) is available for all customers and required for EU-based operators. The DPA covers:
Request the DPA or a security review via our contact page.
Avrenix is designed to run on redundant, multi-AZ cloud infrastructure with automated failover and health monitoring — delivered by the deployment environment. Live operational status is published on our status page. Any availability commitment is set by the deployment environment and the specific customer agreement — we don't publish a fixed SLA figure we don't yet stand behind.