Security & Compliance
Last updated: March 3, 2026
Infrastructure Security
All assets stored in AVPN are encrypted at rest using AES-256 with customer-managed encryption keys (CMEK). Data is encrypted in transit using TLS 1.3. Our storage infrastructure spans a minimum of three geographically separated availability zones, each with independent power, cooling, and networking. We target 99.9999% annual object durability through erasure coding and continuous background integrity verification.
Compliance Certifications
SOC 2 Type II
Audited annually by an independent third party. Report available under NDA to institutional customers upon request.
ISO 27001
Certified since 2023. Our information security management system covers all production infrastructure and employee access.
UK GDPR
Full compliance with the UK General Data Protection Regulation. Data Processing Agreements available for all customers.
FedRAMP
In process. Moderate authorization expected Q4 2026 for our US GovCloud region.
Access Control
All internal access to production systems requires multi-factor authentication and is mediated through a zero-trust network architecture. Employees are granted least-privilege access based on role, with all actions logged and auditable. No employee can access customer content without explicit, time-limited, audited authorization from both the customer and our security team.
Vulnerability Management
We run continuous automated vulnerability scanning across our infrastructure and application layers. Annual penetration tests are conducted by an independent security firm; executive summaries are available to customers under NDA. We maintain a responsible disclosure program and can be contacted at security@avpn.vip.
Incident Response
Our security operations team monitors infrastructure 24/7/365 with automated alerting for anomalous access patterns, integrity check failures, and availability incidents. We commit to notifying affected customers within 24 hours of a confirmed security incident, in accordance with UK GDPR breach notification requirements. Incident post-mortems are shared with affected customers within five business days of resolution.
Data Processing Agreement
Our DPA is available for download and execution as part of the onboarding process for all paid plans. The agreement covers data controller/processor responsibilities, sub-processor lists, transfer mechanisms, and audit rights. Institutional customers may request custom DPAs to align with their existing data governance frameworks.
Contact
For security inquiries, vulnerability reports, or to request our SOC 2 report, contact security@avpn.vip. PGP key available on our security documentation page.