Skip to main content
Back to home

Security, privacy, and compliance

Trust Center

Technical overview of Avosi security, privacy, Azure infrastructure, Supabase Row Level Security, access controls, incident response, and compliance roadmap.

Last updated: July 4, 2026

1. Scope

This Trust Center describes Avosi's current and planned security, privacy, infrastructure, access control, data protection, and compliance practices for the website, future mobile applications, APIs, support flows, databases, cloud services, and AI-related processing.

Statements about controls are intended to describe architecture and roadmap maturity. Avosi should not represent SOC 2 or ISO 27001 certification until independent audits and formal certification processes are completed.

2. Security and privacy coverage

  • Security by design and privacy by design principles for product development.
  • Data minimization for screenshots, messages, audio, identifiers, support records, and analytics data.
  • Vendor review for cloud, database, analytics, payments, support, communications, and AI providers.
  • Operational documentation for access management, incident response, retention, secure development, and vendor management.

3. Security highlights

  • HTTPS/TLS for public web traffic and supported service integrations.
  • Least-privilege access for administrative users, service accounts, and production systems.
  • Supabase Row Level Security (RLS) as a database-level control for restricting records by user, role, account, and operational context.
  • Logical separation between frontend, backend, database, storage, support tools, and external AI or infrastructure providers.
  • Security logging for troubleshooting, abuse prevention, audit evidence, and incident investigation, with data minimization where feasible.
  • Dependency review, secure development practices, and risk-based remediation of vulnerabilities.

4. Azure infrastructure and architecture

Avosi uses Azure as a reference architecture for cloud infrastructure, environment separation, identity governance, observability, networking controls, and operational hardening as the product matures.

Infrastructure should be configured to reduce broad privileges, isolate development and production contexts, centralize critical logs, and support rapid operational response without unnecessary exposure of personal information.

  • Separate development, staging, and production environments.
  • Managed services where appropriate to reduce operational risk.
  • Secrets management, environment variables, key rotation planning, and avoidance of credentials in source code.
  • Monitoring for availability, latency, errors, authentication events, anomalous usage, and security signals.

5. Database and Supabase Row Level Security

Avosi uses or plans to use Supabase/PostgreSQL with Row Level Security (RLS) to restrict read and write operations at the row level based on identity, role, account relationship, and authorized purpose.

RLS does not replace application-layer authorization, but it provides an additional barrier against unintended cross-user, cross-family, support, or administrative data exposure.

  • RLS policies for critical tables governing SELECT, INSERT, UPDATE, and DELETE operations.
  • Service-role keys restricted to controlled backend contexts and never exposed in frontend or mobile clients.
  • Versioned migrations, schema review, and permission review before production changes.
  • Backup, restore, and retention practices aligned with legal, operational, and security needs.

6. U.S. privacy rights and data governance

Avosi maintains privacy-request workflows for users who seek access, deletion, correction, portability, opt-out, or other choices where applicable U.S. state privacy laws provide those rights.

Applicability of specific state privacy laws, including CCPA/CPRA, should be confirmed by U.S. counsel based on data volume, revenue, data-sharing practices, and other legal thresholds.

7. Access control and identity

  • Role-based access control for administrative, support, engineering, operations, and service roles.
  • Multi-factor authentication for privileged accounts where supported by providers.
  • Periodic access reviews, removal of inactive accounts, and revocation after role changes.
  • Named accounts preferred over shared credentials to support auditability.
  • Scoped tokens, limited service credentials, and planned key rotation.

8. Incident response, resilience, and availability

  • Incident response process covering identification, containment, eradication, recovery, communication, and lessons learned.
  • Severity criteria for confidentiality, integrity, availability, fraud, abuse, and personal-information events.
  • Backup and restoration planning based on service criticality and data risk.
  • Notification workflows for users, partners, regulators, or authorities where legally required.

9. AI governance

Avosi uses AI as an educational support layer, not as a replacement for official support, professional advice, family judgment, or emergency services. Sensitive decisions should be verified through official channels.

AI-related governance includes data minimization, vendor review, prompt and response safety practices, user education, and ongoing review of retention, logging, and automated-processing risks.

10. SOC 2 and ISO 27001 roadmap

SOC 2 readiness is in progress, including control mapping, risk assessment, policy development, evidence collection, access review, vendor review, monitoring, and preparation for a future independent audit.

ISO 27001 readiness is in progress, including ISMS planning, asset inventory, risk assessment, risk treatment, governance documentation, incident management, supplier controls, and internal security awareness.

Avosi is not currently representing that it is SOC 2 certified or ISO 27001 certified. Certification claims should be made only after formal completion and verification.

11. Security and privacy contact

Security, privacy, and data-rights questions may be sent to privacidade@avosi.com.br. General support or business inquiries may be sent to contato@avosi.com.br.

Security reports should include a technical description, affected scope, reproduction steps when safe, and contact information for follow-up.