DATA SECURITY

Honest about how we protect your data

We believe defense contractors deserve transparency about the platform they trust with their business data. Here is exactly what we do — and what we don't claim.

⚠️

Critical — what you must never store in AVERNORTH

AVERNORTH is designed for business operations data only — BOE estimates, invoice amounts, LCAT rates, and company certifications. It is not approved for classified or sensitive government information.

✕Classified information of any level — SECRET, TS, SCI

✕Controlled Unclassified Information (CUI) per your DD 254

✕ITAR-controlled technical data or export-controlled content

✕Personnel security files or clearance adjudication records

✕FOUO documents or contract-classified deliverables

✕Personally Identifiable Information beyond name and email

WHAT WE DO

Security measures in place today

🔒

Encryption

✓All data encrypted at rest

✓TLS encryption for all data in transit

✓Database-level encryption with key rotation

✓Encrypted backups in US-only regions

🇺🇸

US-Only Infrastructure

✓All data stored in US-region cloud infrastructure

✓Data never leaves the United States

✓US-region database hosting

✓No offshore data processing

🏢

Tenant Isolation

✓Every company workspace is fully isolated

✓No organization can see another's data

✓Row-level security enforced at database level

✓Each org's data filtered automatically on every query

👤

Access Control

✓Role-based access control per workspace

✓Multi-factor authentication available

✓Session tokens expire on inactivity

✓Owner, Admin, and Member role separation

WHERE WE HONESTLY STAND

Compliance roadmap

We will not claim certifications we have not earned. Below is an accurate picture of where we are and what we are working toward.

Data Encryption

Live

All data encrypted at rest and in transit. Active today for all customer data.

US-Only Hosting

Live

All customer data stored in US-region infrastructure only. Contractually committed.

Tenant Isolation

Live

Row-level security enforced. No org can access another's data under any circumstances.

SOC 2 Type II

Planned

SOC 2 Type II certification is on our roadmap. We have not yet engaged an auditor or begun the formal audit process.

NIST 800-171

Planned

Our infrastructure is designed with security best practices in mind. A formal NIST 800-171 self-assessment is planned as the platform matures.

FedRAMP

Roadmap

Long-term roadmap item for Enterprise customers. Not currently claimed or in progress.

QUESTIONS

Have security questions?

We welcome security questions from our customers. If you have questions about our infrastructure, data handling, or need documentation for your own compliance requirements — reach out directly.

support@avernorth.com