Security

Last updated: February 2026

AES-256 Encryption TLS 1.3 GDPR Compliant SOC 2 (In Progress) Tenant Isolation

Overview

Security is foundational to everything we build at Auvano. We handle sensitive restaurant operations data, customer information, and financial transactions — and we treat that responsibility with the highest standard of care.

Our security programme is designed around the principles of defence in depth, least privilege access, and continuous monitoring.

Encryption Standards

Data at rest: All data stored in our databases and file systems is encrypted using AES-256 encryption, the same standard used by banks and government agencies.

Data in transit: All communications between your devices and our servers are encrypted using TLS 1.3, the latest and most secure transport layer protocol.

Call recordings: Phone call recordings are encrypted at rest and access is restricted to authorised personnel only. Recordings can be permanently deleted at your request.

Multi-tenant Isolation

Each restaurant on the Auvano platform operates in complete data isolation:

  • Every restaurant has its own isolated data partition — your data is never mixed with another restaurant's data.
  • Database queries are scoped to your tenant ID at every layer of the application.
  • Cross-tenant data access is architecturally impossible, not just restricted by policy.
  • Tenant isolation is verified through automated testing as part of our deployment pipeline.

Access Controls

  • Role-Based Access Control (RBAC) — Users are assigned roles (Owner, Manager, Staff) with different permission levels.
  • Authentication — Passwords are hashed using bcrypt with appropriate work factors. Session tokens are managed via JWT with short expiration times.
  • Internal access — Auvano employees access production systems only through secure, audited channels. Access is granted on a need-to-know basis and reviewed quarterly.
  • API security — All API endpoints require authentication. Rate limiting is enforced to prevent abuse.

Infrastructure

  • Hosting — Our application is hosted on Render and AWS, both SOC 2 Type II certified providers.
  • Database — Neon PostgreSQL with automated backups, point-in-time recovery, and encryption at rest.
  • CDN — Static assets are served through globally distributed CDN nodes with DDoS protection.
  • Monitoring — 24/7 infrastructure monitoring with automated alerts for anomalies, performance degradation, and security events.
  • Backups — Automated daily backups with 30-day retention. Backups are encrypted and stored in a geographically separate location.

Audit Logging

All significant actions within the platform are logged:

  • User authentication events (login, logout, failed attempts)
  • Data access and modification events
  • Administrative actions (role changes, configuration updates)
  • API access patterns
  • System-level events and error conditions

Audit logs are retained for a minimum of 12 months and are tamper-resistant.

Incident Response

We maintain a documented incident response plan that includes:

  • Detection — Automated monitoring and alerting for security events.
  • Assessment — Rapid triage and severity classification within 1 hour.
  • Notification — Affected customers are notified within 72 hours of a confirmed data breach, in compliance with GDPR requirements.
  • Remediation — Root cause analysis and corrective actions are implemented and documented.
  • Review — Post-incident review to improve our security posture.

Compliance

  • GDPR — Fully compliant. See our GDPR page for details.
  • SOC 2 Type II — Currently in progress. Expected completion Q3 2026.
  • Penetration Testing — Scheduled with a third-party security firm. Initial assessment planned for Q2 2026.
  • Vulnerability Scanning — Automated dependency and container scanning is part of our CI/CD pipeline.

Security Contact

To report a security vulnerability or for security-related enquiries:

Email: security@auvanoai.com

We take all security reports seriously and will respond within 24 hours. We appreciate responsible disclosure and will work with you to address any valid findings.