eAviora security
at a glance.

Canada (ca-central-1).

Same region. Multi-region available on enterprise contracts.

All customer records are single-region. AI inference runs against a US-region provider on a sanitised payload only (no PII, no narrative text). EU-only inference configurable per-tenant if a regulator requires it.

TLS 1.3 only. HSTS enforced. Modern cipher suites only.

AES-256-GCM. All databases, all backups.

Available for Tier-1 contracts.

Confidential reports use null-at-write strategy — reporter identity dropped at intake, not stored encrypted. Stricter than encryption.

Every server-side endpoint filters records by the calling operator's org ID. Enforced by middleware on every request.

Row-level security is enabled and forced on every tenant-scoped table. The database itself refuses cross-tenant reads.

External-facing roles cannot read any tenant data. The path is closed at the database role level, not just the application.

Background workers wrap every cross-tenant operation in a per-org context so even cross-tenant aggregations cannot read across operators.

A CI gate blocks any new server endpoint that lacks the org filter. Every endpoint and worker is audit-tested before deploy.

Per-org enterprise SSO. JIT user provisioning. SAML-attribute role mapping. SP metadata endpoint.

User provisioning + de-provisioning. Bearer-token auth (sha-256 hashed; token shown ONCE on create).

Per-user. Configurable per org.

Default. Disable per-org with sso.required = true.

Bearer-token auth for the integration surface. Per-key scopes (records / actions / audit / webhooks), last-used tracking and audit-logged with key ID. Available on enterprise plans.

Every record + workflow + admin mutation. action, entity, before/after snapshot, actor, IP, request_id, api_key_id (if bearer auth).

7 years default for tenant-scoped records (per ICAO Annex 13 5). Configurable per record type.

/settings/audit-log for in-tenant. Filter by entity type, actor, date, action.

JSON or CSV via /api/trpc/auditLog.exportCsv. Bearer-token authenticated.

Append-only. No UPDATE / DELETE statements anywhere in the codebase touch audit_log. CI gate enforces.

24h notification + final report deadlines auto-tracked. Investigation phases mapped to workflow stages.

72h preliminary + 30d final report deadlines auto-tracked. Just Culture decision flow built-in.

SMS module aligned (hazards, SPIs, risk matrix, just culture, safety culture).

FAA SMS framework. NTSB Form 6120 export.

Transport Canada SMS. TSB notification workflow.

DSR (data subject request) flow. DPA template available. Sub-processor list public.

Observation in progress (started Q2 2026).

6+ months observation post-Type I. Targeting Q4 2026.

Available on request for EU customers.

Annual independent third-party penetration test. Summary attestation available under NDA; the testing firm is identified to enterprise customers under MNDA.

Tenant data, audit log and AI execution log. Single-region, encrypted at rest.

Application + static assets served from a global edge with automatic SSL.

Calibrated AI agents for classification, risk, bowtie and precursor detection. Operator data is never used to train models.

Durable workers for notifications, retention, scheduled reports and webhook delivery.

Transactional email for notifications, magic-links and digests.

Sessions, file uploads, OAuth and SAML callback for enterprise identity providers.

Error tracking and observability. Stack traces only — operator records are never sent.

Subscription billing on enterprise plans (handled by an external processor; eAviora never stores card data).

Authoritative DNS, DDoS mitigation and TLS at the edge.

Full sub-processor list with vendor names and DPA links is published in our Privacy Policy 09 and Terms 09 — the legal homes for processor disclosure.