00SECURITY · COMPLIANCE ONE-PAGER
Security, enforced —
not promised.
For procurement, IT security, and CISO review. One page, print-friendly. Isolation in the database. AI under human control. Deeper detail at /trust. Last reviewed 2026-06-26.
01DATA RESIDENCY
Where your data lives
Primary region
Canada (ca-central-1).
Backup region
Same region. Multi-region available on enterprise contracts.
AI inference
Runs against a US-region provider on a sanitised payload only — no personal data, no narrative text. EU-only inference configurable per-tenant if a regulator requires it.
No training on your data
Operator data is never used to train AI models.
02TENANT ISOLATION
Enforced by the database
A single app bug cannot expose another operator’s data.
Database-enforced
Isolation is enforced at the database, not trusted to application code. Row-level security is load-bearing in production across 119 org-scoped tables — a missing org filter returns zero rows at the database edge, not the wrong operator’s data.
Layer 1 — Application
Every server-side endpoint filters records by the calling operator’s org. Enforced by middleware on every request.
Layer 2 — Database isolation
The database itself refuses cross-tenant reads on every tenant-scoped table — even if a query forgets the org filter.
Layer 3 — Public surface denied
External-facing roles cannot read any tenant data. The path is closed at the database role level, not just the application.
Layer 4 — Per-org workers
Background workers wrap every operation in a per-org context, so even cross-tenant aggregations cannot read across operators.
Layer 5 — CI-gated
A CI gate blocks any new server endpoint that lacks the org filter. Every endpoint and worker is audit-tested before deploy.
03ENCRYPTION
At rest + in transit
In transit
TLS 1.3 only. HSTS enforced. Modern cipher suites only.
At rest
AES-256-GCM. All databases, all backups.
Customer-managed keys (BYOK)
Available for Tier-1 contracts.
Confidential reports
Reporter identity is dropped at intake (null-at-write) — never stored, encrypted or otherwise. Stricter than encryption.
04AI GOVERNANCE
AI proposes, humans approve
Humans hold governance
Workflow and sign-off state cannot be set by an AI model or the API. Governance state is human-only — a machine can suggest, never decide.
One-click approval
Every AI write surfaces as a human approval card — accept, modify or reject — and the decision is logged.
Confidence-gated
Low-confidence or out-of-catalog AI output is queued for a human. Nothing is silently written.
Confidentiality through the AI
ICAO Annex-19 confidentiality is enforced inside the AI assistant — confidential reports stay invisible to uncleared analysts, even through the copilot.
No training, sanitised input
Inference runs on a sanitised payload only. Operator data is never used to train AI models.
05CONFIDENTIALITY
Annex-19 sensitivity, enforced
Three tiers
Every record carries an ICAO Annex-19 sensitivity tier — protected, restricted or confidential — with role allowlists and explicit, per-user clearance grants.
Enforced everywhere
Sensitivity is enforced into the personal work queue, notifications, partnership data-sharing scope and the AI assistant — uniformly, not per-screen.
Fail closed
Without a clearance grant, the record is invisible — no row, no notification, no AI answer. Access defaults to denied.
Just culture preserved
Reporter identity is dropped at intake, so the confidential tier protects the person, not just the document.
06AUTHENTICATION
Federation + account security
SAML 2.0
Per-org enterprise SSO. JIT user provisioning. SAML-attribute role mapping. SP metadata endpoint.
SCIM 2.0
User provisioning + de-provisioning. Bearer-token auth (hashed; token shown once on create).
OAuth sign-in
Google, Microsoft and Okta. Per-org. Enforce SSO-required to disable password sign-in.
Passkeys + MFA
WebAuthn passkeys (Touch ID / Windows Hello / security key) — phishing-resistant. TOTP multi-factor with step-up on sensitive actions. Admin-initiated MFA reset.
Session controls
Sign-in history (last 20), active-session listing and sign-out-everywhere.
API keys
Bearer-token auth with per-key scopes (records / actions / audit / webhooks), last-used tracking and audit logging by key. Available on enterprise plans.
07API & INTEGRATIONS
Open by design, governed by default
Every machine call runs the same checks as a user — governance state stays human-only.
REST API v1
Versioned public API with an OpenAPI 3.1 contract generated from the live runtime. Per-key scopes; every call rate-limited, tenant-isolated and audit-logged.
OAuth 2.1 connector
Standards-based connector for AI assistants — dynamic client registration (RFC 7591), mandatory PKCE (S256), single-use authorization codes, short-lived (1h) access and 30-day rotating refresh, with scoped, per-tenant consent.
MCP server
A Model Context Protocol server — the protocol AI assistants use to call your tools — runs the same authorization, isolation and audit path as the UI. Bearer-authenticated and stateless.
Outbound webhooks
HMAC-SHA256 signed for verification, SSRF-hardened against internal targets, with rotate-secret (shown once) controls.
08AUDIT POSTURE
Logged in the same step
What's logged
Every record, workflow and admin change — action, entity, before/after, actor, IP, request id and API key id.
Cannot be bypassed
The audit row commits in the same database step as the change itself — not a separate, skippable insert. The log and the change succeed or fail together.
Retention
7 years minimum for safety records (ICAO Annex 13); records are retained, never auto-purged.
Searchable + exportable
Searchable in-tenant by entity, actor, date and action. Export to JSON or CSV.
Tamper-evident
Append-only — no update or delete ever touches the audit log. Enforced by a CI gate.
09DATA PORTABILITY
Your data, on demand
Bulk export
Asynchronous export to JSON, CSV, Parquet or PDF, delivered as a 7-day signed download link.
Streaming export
Line-delimited JSON (NDJSON) streaming for large datasets.
Import
Mapped CSV import (up to 50MB, processed in chunks) — no proprietary format required.
Privacy requests
GDPR data-subject-request flow, a DPA template and a public sub-processor list.
Retention control
Configurable retention for operational history (AI runs, sessions, notifications, webhooks); safety records retained.
10REGULATOR ALIGNMENT
Compliance posture
ICAO Annex 13
24h notification + final-report deadlines auto-tracked. Investigation phases mapped to workflow stages.
EU 376/2014
72h preliminary + 30d final-report deadlines auto-tracked. Just-culture decision flow built-in.
ICAO Annex 19
SMS module aligned — hazards, safety performance indicators, risk matrix, just culture, safety culture.
14 CFR Part 5 / AC 120-92
FAA SMS framework. NTSB Form 6120 export.
CAR 107 / TC AC 107-001
Transport Canada SMS. TSB notification workflow.
EU GDPR
Data-subject-request flow. DPA template available. Sub-processor list public.
Regulator export envelopes
ADREP / E5X / SDR export envelopes are JSON today; an XML serialization is on the roadmap.
11CERTIFICATIONS
Where we stand today
SOC 2 Type I
Observation in progress (started Q2 2026).
SOC 2 Type II
6+ months observation post-Type I. Targeting Q4 2026.
ISO 27001
Available on request for EU customers.
Pen test
Annual independent third-party penetration test. Summary attestation available under NDA; the testing firm is identified to enterprise customers under MNDA.
12SUB-PROCESSORS
Categories in the processing chain
Database
Tenant data, audit log and AI execution log. Single-region, encrypted at rest.
Hosting & edge
Application + static assets served from a global edge with automatic SSL.
AI provider
Calibrated AI agents for classification, risk, bow-tie and precursor detection. Operator data is never used to train models.
Background processing
Durable workers for notifications, retention, scheduled reports and webhook delivery.
Email delivery
Transactional email for notifications, magic-links and digests.
Identity & storage
Sessions, file uploads, and OAuth / SAML callback for enterprise identity providers.
Security monitoring
Error tracking and observability. Stack traces only — operator records are never sent.
Payments
Subscription billing on enterprise plans (handled by an external processor; eAviora never stores card data).
DNS & DDoS protection
Authoritative DNS, DDoS mitigation and TLS at the edge.
Vendor names + DPAs
Full sub-processor list with vendor names and DPA links is published in our Privacy Policy 12 and Terms 09 — the legal homes for processor disclosure.
TRUST CENTER
Deeper reference (~10 min read)
Per-section detail with live examples + CI gate references.
VULNERABILITY DISCLOSURE
security@eaviora.com
24h ack · 7d fix for Critical/High · we credit you in the advisory.