Sign in Run Free Scan
Security

Security at AIVZ.

The architecture and operational practice that protect customer data on the AIVZ platform. Honest about what's in place today and what's on the roadmap.

Last reviewed: May 2, 2026 Version 1.0
Request security overview PDF Contact security

How AIVZ is built.

AIVZ runs on managed cloud infrastructure with a containerized compute layer, a managed primary database, and CDN-fronted edges. Production architecture detail beyond the summary below is available under NDA in the security overview PDF.

Cloud provider
Major U.S.-based hyperscaler with multi-AZ deployment in the primary region.
Region
Primary in the United States. Enterprise tier supports alternate regional residency on request.
Compute
Containerized workloads orchestrated on the cloud provider's managed runtime.
Database
Managed primary with point-in-time backups, automated replication, and encryption at rest.
Network
VPC-isolated workloads. Public surface restricted to the application, scanner, and webhook endpoints behind a WAF.
CDN / edge
Global CDN for static assets and edge caching with TLS termination at the edge.

Encryption, retention, residency.

Encryption in transit

All connections to AIVZ services use TLS 1.2 or TLS 1.3. We don't accept connections over older protocols. Customer scan data, dashboard sessions, API requests, and webhook deliveries are all encrypted in transit.

Encryption at rest

Customer data stored in AIVZ databases is encrypted at rest using AES-256 via the cloud provider's managed key management service. Encryption keys are rotated on the provider's standard schedule.

Data retention

Retention is governed by category. The full schedule lives in the Privacy Policy retention section; the security-relevant summary:

Data classDefault retention
Scan resultsRolling 12 months while account is active; deleted on closure
Citation monitoring logsRolling 12 months
User account dataLife of account; 90 days post-closure
Audit logs13 months
Backups30-day rolling backup window

Retention policies for paid customers are governed by the Data Processing Agreement (DPA) where applicable.

Data residency

By default, customer data is stored in the United States. Enterprise tier customers can request alternative regional residency for compliance with regional data sovereignty requirements (EU, UK, APAC).

Data deletion

Customers can request deletion of all account data via account settings or by emailing security@aivz.app. Deletion completes within 30 days of request, including from active databases and backups (subject to backup-retention windows above).

Authentication, authorization, audit.

Customer authentication

  • Free / Pro tiers: Email + password, OAuth via Google.
  • Agency tier: Adds team-seat invitations and role-based access controls (RBAC) — Owner / Admin / Member / Read-only.
  • Enterprise tier: Adds SSO/SAML via the customer's identity provider (Okta, Azure AD, Google Workspace, OneLogin, etc.). Adds SCIM provisioning where supported.

Multi-factor authentication

  • All tiers: TOTP-based MFA available and recommended.
  • Agency tier: Admins can require MFA for all team members.
  • Enterprise tier: MFA enforced via SSO/SAML provider policy.

Internal access (AIVZ employees)

AIVZ employees access customer data only when necessary for support, debugging, or contractual obligations. Access is logged and audited, granted on a least-privilege basis, and revoked immediately on role change or termination.

Audit logs

Customer-facing audit logs (who did what, when, in your account) are available to all paid tiers. Log retention varies by tier — Pro retains 30 days, Agency retains 90 days, Enterprise retains per MSA (typically 12+ months).

Incident response, change management, monitoring.

Incident response

AIVZ maintains an incident response plan covering:

  • Detection — internal monitoring, customer reports, third-party disclosure
  • Triage and severity classification
  • Customer notification SLAs (see below)
  • Remediation and root cause analysis
  • Post-incident review and process improvement

Customer notification SLA for security incidents affecting customer data: 72 hours from confirmation of a breach for material incidents, in line with GDPR Article 33 for EU customers.

Change management

Production changes go through a change management process: code review required before merge, automated test suite executes against every change, staged rollout for material changes (canary, gradual rollout), and roll-back procedures for incident scenarios.

Monitoring and alerting

AIVZ runs continuous monitoring for service availability and performance, security-relevant events (auth failures, anomalous access, etc.), and subprocessor service health where exposed. Alerts route to an on-call rotation with business-hours coverage and escalation for high-severity events.

Where AIVZ stands today.

Compliance state mirrors the canonical state on the Trust Center — both pages update in lockstep.

ArtifactState
GDPRIn place
CCPAIn place
SOC 2 Type IIn progress
SOC 2 Type IIRoadmap
ISO 27001Roadmap
HIPAANot in scope
FedRAMPNot in scope
PCI-DSSNot in scope

See the Trust Center for full status and roadmap detail.

What you can configure.

Available across all paid tiers

  • TLS 1.2/1.3 connection floor
  • TOTP-based MFA
  • Customer-initiated data deletion
  • Account audit logs
  • Email notifications for material account events

Available on Agency tier

  • Role-based access controls (Owner / Admin / Member / Read-only)
  • Team-wide MFA enforcement
  • Per-team-member audit log access
  • White-label option that hides AIVZ infrastructure from client-facing portals

Available on Enterprise tier

  • SSO/SAML via customer identity provider
  • SCIM provisioning (where supported by IDP)
  • Custom data residency
  • Custom retention windows
  • Direct security contact / dedicated CSM
  • Subprocessor change advance notification (extended SLA)

Responsible disclosure.

If you've discovered a security vulnerability in AIVZ, we ask that you:

  1. Email security@aivz.app with a description, reproduction steps, and your assessment of severity.
  2. Don't disclose the vulnerability publicly until AIVZ has had a reasonable opportunity to investigate and address (typically 90 days, or sooner if a fix is shipped).
  3. Don't access, modify, or exfiltrate data beyond what's required to demonstrate the vulnerability.
  4. Confirm in your initial email whether you wish to be credited publicly when the issue is resolved.

We don't currently run a paid bug bounty, but we recognize and credit responsible-disclosure researchers in our security acknowledgements page when one ships.

Contact

Email: security@aivz.app
PGP key: Available on request
Response SLA: Acknowledgement within 1 business day; substantive response within 5 business days.

Questions?

Email security@aivz.app for security inquiries or legal@aivz.app for legal questions. The current subprocessor list lives at /subprocessors.

Trust · Security