Data protection and compliance is vital for every business, but especially yours. At Avoma, we take every measure possible to ensure your compliance and data protection.
Data Center and Network Security
Avoma hosts all its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 1-3 and ISO 27001. See Amazon's compliance and security documents for more detailed information. 100% of Avoma's primary application servers are located within Avoma's own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers.
Web application architecture and implementation are built in Elixir/Erlang with the Phoenix framework and OWASP guidelines. Avoma conducts application penetration testing by a third party at least annually in addition to Avoma's continued internal testing and review program.
All connections to Avoma are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data (including call recordings and transcripts) is encrypted at rest and in transit. We rely on AWS infrastructure to securely maintain our cryptographic encryption keys. We use industry-standard AWS-managed PostgreSQL RDS and ElasticSearch data storage systems hosted within AWS.
Avoma is committed to ensuring General Data Protection Regulation (GDPR) compliance with built-in, customizable controls to obtain unambiguous consent for all your calls and meetings. Avoma facilitates GDPR compliance with:
Notifications to help you gain consent to record meetings and calls
The control to access and request to delete data
Avoma provides enterprise-level security for customer data secured in our systems. Our current and future customers can be assured we manage their data with the highest standard of security and compliance. Our design, security and operations have been successfully evaluated and certified by an independent audit for SOC 2 Type II compliance. As we continue to work with mid-market and enterprise clients, we’re committed to share our compliance report as required.
Across the United States, European Union, and other regions, there are mandates on notifying and seeking consent before the meetings and calls are recorded. Some countries or states might require you to seek active consent from both parties, whereas in some other places one-party consent might suffice. As a compliance best practice, we recommend turning on the “Meeting Reminder to Participants + Recording Consent Disclaimer” notification especially for the external participants, regardless of their location.
Design of all new product functionality is reviewed for security impact, with Avoma conducting mandatory code reviews for all changes to the code. Avoma’s development and testing environments are separate from its production environment. All code development is done through a standard process.
Vulnerability Disclosure Process – Avoma considers privacy and security to be the core functions of our platform. Earning and keeping the trust of our customers is our top priority; therefore, we hold ourselves to the highest privacy and security standards. If you have discovered a security or privacy issue that you believe we should know about, we would be eager to hear from you.
Please reach out to us at firstname.lastname@example.org with questions. We have a policy of responding to security reports within 24 hours.