Security & Trust

Built for firms handling
sensitive client data

Every security capability is included in every plan — not sold as an add-on, not reserved for Enterprise. UK/EU data residency, GDPR-ready workflows, eIDAS e-signatures, 2FA, role-based access, and a full audit trail for every action.

See the pillars Request a security review
At a glance
Three Pillars of Trust
What procurement actually needs to see. Every item below is shipped in every plan — Free through Enterprise.
01

Data sovereignty

UK and EU data residency. Encrypted in transit and at rest. Soft-delete retention with configurable policies. Full export of your data at any time, in open formats.

02

Access & audit

TOTP 2FA with backup codes. Role-based access control with department scoping. Session timeouts and forced password resets. Comprehensive audit log for every change.

03

Compliance & legal

GDPR-ready DSAR, breach, DPIA and consent workflows. eIDAS-compliant e-signatures with signing order and secure tokens. Email compliance with unsubscribe and reputation monitoring.

04

Operational integrity

Webhook signature verification via Svix. PII hashing and secure token handling. Content snapshots on contract close — immutable record. Configurable backup and retention.

Data protection
Your data stays
where it belongs
How Avaro handles client data at every layer — from network to storage to deletion.
🔒
Encryption in Transit
TLS 1.2+ on every connection. HTTPS enforced. Secure tokens for all API and webhook traffic.
🔑
Encryption at Rest
Customer data encrypted at rest. PII hashing where appropriate. Sensitive fields protected end-to-end.
📤
Data Portability
Full export at any time in open formats (CSV, JSON). No export fee. No lock-in. Your data is yours.
🗑
Retention & Deletion
Configurable retention policies. Soft-delete with audit trail. Hard-delete on verified DSAR request.
🔗
Backup & Recovery
Automated backups with point-in-time recovery. Disaster recovery procedures documented internally.
Access & audit
Who can do what,
and who did what
Permission controls and activity logging that withstand a security review.
2FA

Two-Factor Authentication

TOTP with QR setup, backup codes, and brute-force lockout. Configurable session timeouts with forced password resets. 2FA can be enforced organisation-wide.

RBAC

Role-Based Access Control

Permission matrix with department scoping and per-role overrides. Data visibility is scoped by department membership. Guest access for external users with limited permissions.

Audit

Comprehensive Audit Log

Every create, update, and delete logged with user, timestamp, and change detail. Configurable retention. Searchable and exportable for compliance reviews.

Sessions

Session Management

Configurable session timeouts. Forced password resets when required. Admins can terminate individual sessions. Login attempts throttled to prevent brute force.

Compliance & legal
Procurement-ready from day one
The legal and compliance workflows mid-market firms actually need.
GDPR Suite
DSAR handling, breach tracking with notifications, DPIA workflow, and consent management with audit trail.
eIDAS E-Signatures
Multi-signatory workflows with signing order, secure tokens, and tamper-proof signing ceremony records.
📡
Breach Incident Tracking
Log, assign, and notify on data-breach incidents. Built-in 72-hour notification workflow for GDPR compliance.
Consent Management
Marketing consent tracking with unsubscribe tokens. Every change in consent status is recorded in the audit log.
📧
Email Compliance
Unsubscribe management. Reputation monitoring with bounce/complaint tracking. Automatic sending pause on poor reputation.
📑
Terms & Versioning
Version management for terms of service with publishing, acceptance tracking, and historical snapshots per user.
Trust questions
What procurement
actually asks
Where is our data stored?

Customer data is hosted in UK and EU regions. For UK and EU firms, no cross-border transfer is required. Hosting location can be confirmed during a security review.

Is Avaro One GDPR compliant?

Yes. Avaro ships a GDPR suite covering data-subject access requests (DSAR), breach tracking with notification workflows, DPIA templates, and consent management. Every change is recorded in the audit log.

Are your e-signatures legally binding?

Yes. Native e-signatures are eIDAS-compliant, with multi-signatory support, signing order enforcement, secure tokens, and a tamper-proof audit trail. No external DocuSign or PandaDoc is required.

Can we enforce 2FA for our whole team?

Yes. TOTP-based 2FA with backup codes can be enforced organisation-wide. Sessions time out to a configurable policy, and admins can force password resets when required.

How granular are the access controls?

Role-based access control with a permission matrix, department scoping (records are scoped to the user’s department unless granted wider access), and a separate guest-access model for external users (the client portal).

Can we get our data out if we decide to leave?

Yes. Full data export at any time in open formats (CSV, JSON). No export fee. No retention lock-in. This is a line item in our pricing — portability is not sold separately.

Do you provide a DPA and security documentation?

Yes. Data Processing Agreement, security overview, and sub-processor list are available on request. Enterprise customers receive bespoke documentation as part of onboarding.

Need to run a
security review?

Talk to our team about your specific requirements. We’ll walk you through controls, provide documentation, and answer procurement questions directly.

Request a security review Get Started Free