Your security and compliance is our top priority

Data protection and compliance is vital for every business, but especially yours. At Avoma, we take every measure possible to ensure your compliance and data protection.

Data Center and Network Security

Avoma hosts all its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 1-3 and ISO 27001. See Amazon's compliance and security documents for more detailed information.  100% of Avoma's primary application servers are located within Avoma's own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers.

Application Security

Web application architecture and implementation are built in Elixir/Erlang with the Phoenix framework and OWASP guidelines.  Avoma conducts application penetration testing by a third party at least annually in addition to Avoma's continued internal testing and review program.

Data Security

All connections to Avoma are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data (including call recordings and transcripts) is encrypted at rest and in transit. We rely on AWS infrastructure to securely maintain our cryptographic encryption keys.  We use industry-standard AWS-managed PostgreSQL RDS and ElasticSearch data storage systems hosted within AWS.

General Data Protection Regulation (GDPR)

Avoma has implemented measures designed to facilitate GDPR compliance. For instance, GDPR requires you to justify the need to record the call or meeting and obtain unambiguous consent from all parties before recording any conversation. Avoma facilitates GDPR compliance with:
  • Email notifications to help you gain consent to record meetings and calls
  • Full rights on accessing and request to deleting data
  • A clear privacy policy on why and how we collect data, and what we do with it.

SOC 2 Compliance

Avoma continues to hold high standards for security, process integrity, and confidentiality. We are audited and validated for compliance with the SOC 2 Type I standards. Avoma is currently in the observation period for SOC 2 Type II to offer higher levels of security to its increasing roster of bigger mid-market and enterprise clients.

Consent Compliance

Across the United States, European Union, and other regions, there are mandates on notifying and seeking consent before the meetings and calls are recorded. Some countries or states might require you to seek active consent from both parties, whereas in some other places one-party consent might suffice. As a compliance best practice, we recommend turning on the “Meeting Reminder to Participants + Recording Consent Disclaimer” notification especially for the external participants, regardless of their location.

Security and Development Practices

  • Design of all new product functionality is reviewed for security impact, with Avoma conducting mandatory code reviews for all changes to the code. Avoma’s development and testing environments are separate from its production environment. All code development is done through a standard process. 
  • Vulnerability Disclosure Process – Avoma considers privacy and security to be the core functions of our platform. Earning and keeping the trust of our customers is our top priority; therefore, we hold ourselves to the highest privacy and security standards. If you have discovered a security or privacy issue that you believe we should know about, we would be eager to hear from you. 

Please reach out to us at security@avoma.com with questions. We have a policy of responding to security reports within 24 hours.