Security at Avery

Infrastructure Security

Avery runs on enterprise-grade cloud infrastructure with built-in security controls:

• Managed infrastructure - We use leading cloud providers with automatic security patching and hardened configurations
• Network isolation - Internal services are protected by private networks and are not directly exposed to the internet
• High availability - Data is replicated across multiple locations for reliability and disaster recovery
• DDoS protection - Built-in protection against distributed denial-of-service attacks

Data Encryption

Your data is encrypted both in transit and at rest:

• In transit - All connections are encrypted using modern TLS protocols. We enforce HTTPS across all endpoints
• At rest - All stored data, including databases and files, is encrypted using industry-standard encryption
• Backups - Backups are encrypted and stored separately for disaster recovery

Authentication and Access Control

We implement multiple layers of authentication and access control to protect your account:

• Secure authentication - Passwords are securely hashed and never stored in plaintext
• Session management - Sessions are securely managed with automatic expiration and the ability to revoke active sessions
• Role-based access control - Team members can be assigned specific roles that limit their access to sensitive operations
• Organization isolation - Data is strictly separated between organizations with no cross-tenant access possible

Application Security

Our development practices prioritize security at every stage:

• Secure development lifecycle - Code reviews are required for all changes, with security considerations as part of the review process
• Vulnerability management - We actively monitor and address known vulnerabilities in our software
• Input validation - All user inputs are validated and sanitized to prevent common attacks
• API security - APIs are authenticated and rate-limited to prevent abuse

Third-Party Services

We carefully vet and monitor all third-party services we work with:

• All third-party integrations use secure, authenticated connections
• We follow the principle of least privilege when configuring access to external services
• Payment data is handled exclusively by PCI-compliant processors - we never store credit card numbers directly

Monitoring and Incident Response

We maintain continuous monitoring and have established procedures for incident response:

• 24/7 monitoring - Application and infrastructure are continuously monitored with automated alerting
• Audit logging - Security-relevant actions are logged and retained for investigation when needed
• Incident response - We have documented procedures for responding to security incidents, including notification protocols

Compliance

We are committed to meeting industry security standards:

• We are actively working toward SOC 2 Type II certification
• Our practices align with CCPA requirements for California residents

For enterprise customers requiring specific compliance documentation, please contact our security team to discuss your requirements.

Responsible Disclosure

We value the security research community and welcome responsible disclosure of any vulnerabilities you may find. If you discover a security issue, please email us at security@avery-hq.com. We commit to:

• Acknowledging your report within 48 hours
• Providing regular updates on our progress
• Not taking legal action against good-faith security research
• Crediting you (if desired) when the issue is resolved

Contact Us

Have questions about our security practices?