Put your trust in Avallone

At Avallone, we are committed to security.

SOC 2 Type 2 and Type 1 Certified, Avallone safeguards our customers' and end users' data as if it were our own.

We make our data management practices transparent, so every user of our platform is comfortable and confident that their data is protected.

Download policies
avallone trust

Trust center

Learn more about Avallone’s approach to security. You can also review our privacy policy to understand how we protect personal information or find out more about our role in ensuring your compliance with GDPR.

Security overview

Knowing that we’ve been entrusted with confidential, valuable data and in light of GDPR, we’ve set high standards for security and our infrastructure team to protect your data.

We've attained our SOC 2 Type 2 and Type 1 certification - which has rigorous compliance requirements including audits - so our customers can be sure that sensitive information is always handled responsibly.

Regardless of where end-users are located, they can be assured that Avallone is are dedicated to user data privacy and meeting the legal obligations on how to treat EU citizens’ personal data.

Unless you provide the authorization, no company other than Avallone is allowed to access your information. Avallone has taken appropriate, industry best-practice measures to protect information from loss, misuse and unauthorized access, disclosure, alteration and destruction. In the event of any threats, we are prepared to swiftly detect and respond immediately.

Security highlights include :

  • Access Control (Multi-factor authentication and authorization)
  • Data Encryption at rest and in transit
  • ISO 27001 and SOC 1,2,3 accredited Data Centers
  • Continuous Network and Security Monitoring
  • Independent penetration testing twice yearly
  • Vulnerability Management
  • Incident Response and Recovery
  • Security and GDPR Awareness Training
  • Personnel screening
  • Code and infrastructure internal change management processes


All customer data is always and exclusively hosted in Avallone’s ISO 27001 certified hosting center within Amazon Web Services (AWS) which is SOC compliant (with SOC 1,2 and 3 certifications) and adheres to multiple other industry-specific security certifications and standards.

Specifically, our infrastructure with AWS is hosted in Frankfurt, Germany. This is designed to follow international security standards and regulations, while protecting confidentiality, data sovereignty, and data privacy regulations. This specific location has been chosen as it is both in the EU and as we view Germany as an exemplary leader in the implementation of privacy and GDPR.


Advanced encryption technology is always applied to help secure data. With 256‑bit TLS/SSL encryption and 2048‑bit RSA public keys, Avallone encrypts all data at rest and all network traffic.

Engineering practices

From our thorough recruitment process to our secure web application development training, Avallone aims to hire and retain a team of best-in-class engineers with demonstrated track records and superlative references. Our development team employs secure coding techniques and follows best practices.

Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.

Access to customer data is limited to only a few of our qualified engineers. With multiple restrictions in place to protect access to production servers, be assured that your data is safe.

Technology advancement : Vulnerability management and penetration tests

To maintain a state-of-the-art infrastructure, Avallone constantly and rigorously reviews and implements emerging technology. Continuous monitoring of our security infrastructure includes measures such as regular vulnerability testing by third party companies. Should any exposures be identified during penetration testing, our team swiftly remedies the issue according to severity.


As with other SaaS providers, the assistance of trusted third party sub-processors is needed in the maintenance of our business + commitments to our customers. We limit these sub-processors to the essential, and should you wish to have this list, please contact us.

Asset management

Avallone’s asset management policy includes identification, classification, retention and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.

Incident management

Avallone’s security incident response process covers the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation.

Business continuity management

Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity. Avallone employs a backup strategy to ensure minimum downtime and data loss.

Security-related inquiries

Have questions? Contact us if you’d like to report a security issue, at

Privacy policy

Avallone follows standard EU data protection agreement best practices. For more information, please refer to our Privacy Policy below.

It’s important to know that in reference to Anti-Money Laundering, different countries have different regulations regarding data retention periods and rules that go beyond GDPR.

GDPR overview

At Avallone, we don’t see GDPR as merely a legal obligation or just another compliance checkbox to tick. Our relationships with you - our customers - along with the trust you place in us, are all at the core of our business, and we never take that for granted. Avallone sees GDPR as an opportunity to demonstrate our commitment to protecting customer data and to support our customers in ensuring that they are GDPR compliant.

The General Data Protection Regulation (GDPR) took effect on May 25, 2018. It seeks to harmonize the approach to data protection matters across Europe by establishing a single set of pan-European rules. It replaced the Data Protection Directive which has been law across the European Union for the past 20 years. For the complete text within the GDPR, click here.

Avallone’s role

We’re deeply committed to you and the protection of your data. It’s in our DNA to hold the protection of our customers’ information and their users’ privacy as the utmost importance to us. Our data protection and privacy practices reflect our dedication to regulatory requirements.

When it comes to GDPR, Avallone is considered to be a processor for the data we collect from you, the controller. As a processor, Avallone ensures that any data - entrusted to us by data subjects within the European Union - will have:

  • Consent for its collection
  • The ability for management by the user (e.g. deletion)
  • Protection with necessary safeguards

Data retention

Avallone’s asset management policy includes identification, classification, retention and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.

  • Company Vault: Users with the appropriate access and privilege rights for their role are able to add, change and remove data and files from an entity, an officer and / or questionnaire answer
  • Officer Vault: Officers are able to add, change and remove data and files from their own Vault
  • System settings and users: Super-users with the appropriate access and administration rights are able to add and delete users from the system. Associated activities are not deleted or removed from the system when users are deleted.

Employee GDPR training program

We pride ourselves on the education we provide our employees regarding GDPR and security. New employees are taken through a thorough training, and we regularly run workshops and programs at a cross-company level. Data is our business so we make sure our employees understand and adhere to the best practices around treatment of data.

GDPR-related inquiries

Have questions? Please contact us at if you have any questions about our GDPR compliance.