We're holding the phone. We take that seriously.
Every call Avenora answers is encrypted, retained per policy, and attributable in our audit log. Here's what that means in practice.
Encryption everywhere
TLS 1.3 for every call leg and every dashboard request. AES-256 at rest for transcripts, audio, and database tables. Keys rotated quarterly via a dedicated KMS.
TCPA-aware dialing
Every outbound number is scrubbed against the federal DNC + state DNC lists pre-dial. Calling hours validated against the prospect's local timezone. No exceptions, no override.
Recording retention by intent
Emergency calls (gas, CO, no-heat-in-winter) retained 4 years on Pro tiers, 7 years on Business. Non-emergency calls retained 30–365 days based on tier. Per-shop deletion on request.
Recording disclosure
Every call opens with a TCPA-compliant disclosure that recording is taking place and how to opt out. Disclosure language reviewed by an outside attorney quarterly.
Tenant-scoped access
Multi-tenant database with row-level security enforced at the Postgres layer. Customer dashboards cannot read another shop's data — even via misconfigured service tokens.
Audit logging
Every administrative action is timestamped and attributed. Founder-only access to production logs, with read-only audit replay available to customers on request.
Compliance posture
We publish the status of every framework we're working through — no aspirational badges.
- SOC 2 Type I
- In progress · Q4 2026
- TCPA + state DNC
- Live — pre-dial scrubbed
- PA wiretap consent
- Live — all-party disclosure
- HIPAA posture
- Adjacent — no PHI stored or processed
- Stripe PCI scope
- SAQ A (hosted Checkout, no card data ever)
Report a vulnerability
If you find something — anything — write to security@avenora.ai with reproduction steps. We acknowledge within 24 hours, fix in accordance with the severity, and credit responsible researchers in the changelog.
Email security@avenora.ai