Security & Trust

Open by design. Below is the architecture, the controls in place today, and the certifications we’re building toward — with dates.

TLS 1.3 in transit
In place
Encrypted at rest
D1 + KV
JWT + RBAC
Short-lived tokens
Zero-trust edge
Cloudflare Workers
Audit logging
Every admin action
No PII collected
Public signals only
Security Practices

Built with security at every layer

Data Encryption

All data encrypted at rest (D1) and in transit (TLS 1.3). API keys stored as hashed secrets.

Access Control

JWT-based authentication with short-lived tokens. Role-based access control for multi-tenant isolation.

Audit Logging

All API access and administrative actions logged. Tamper-resistant audit trail for compliance.

Infrastructure

Edge-native, zero-trust architecture

Edge Compute Workers

Edge-native, no traditional servers to compromise. Zero cold starts, global distribution.

D1 Database

SQLite-based, encrypted at rest, automatic backups.

KV Cache

Encrypted, distributed, automatic TTL-based expiry.

No customer data leaves our processing network.
Compliance

Standards we operate to today

Three frameworks shape our day-to-day controls right now. SOC 2 audits are scheduled and we’ll publish the report when we have it — we don’t want to overstate where we are.

Operating today
PIPEDA In place
Personal Information Protection and Electronic Documents Act — Canadian privacy law that governs how we collect, use, and disclose personal information.
Operating today
GDPR-aligned processing In place
Lawful-basis, data-minimization, and subject-rights handling aligned with EU General Data Protection Regulation requirements. EU sub-processor list available on request.
Operating today
WCAG 2.1 Level AA In place
Accessibility target across public-facing pages and the authenticated dashboard. Audit findings get tracked the same way as security findings.
Q3 2026
SOC 2 Type I Scheduled
Initial third-party assessment of security controls design and implementation. Engagement letter in place.
Q1 2027
SOC 2 Type II Scheduled
Full certification demonstrating operational effectiveness across the audit window. Report available under NDA on completion.
Responsible Disclosure

We welcome security researchers

We believe that working with skilled security researchers is essential to keeping our platform and users safe. If you discover a vulnerability in Averrow, we encourage you to report it responsibly. We are committed to investigating all legitimate reports and resolving issues as quickly as possible.

We provide a safe harbor for good-faith security researchers. We will not pursue legal action against individuals who discover and report vulnerabilities responsibly, provided they make a good-faith effort to avoid privacy violations, data destruction, and service disruption.

Report to
security@averrow.com
Response time
Within 48 hours

Reporting brand abuse rather than a vulnerability? Forward phishing emails or report impersonation, lookalike domains, and counterfeits at averrow.com/report-abuse.

Data Handling

What we collect and what we don't

What data we collect

  • Domain names
  • Email security records (public DNS)
  • Social platform public profiles
  • Threat feed matches

What we DON'T collect

  • Email content
  • Credentials
  • Internal network data
  • Customer PII beyond account info

Retention

  • Active account data retained during subscription
  • Scan results cached 24 hours
  • Account deletion within 30 days of request
Read our Privacy Policy Contact Security Team