Security at Avaamo

Avaamo combines enterprise-grade security features with rigorous compliance to industry standards to ensure your data is always protected.

Avaamo’s compliance certifications and regulations



Service Organization Controls

Download the report


SOC2(Type Ⅱ)

Trust Services Principles



Cloud Security Alliance


ISO/IEC 27001

Information Security Management System (ISMS)


NIST 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations



Avaamo is HIPAA (Health Insurance Portability and Accountability Act) compliant



California Consumer Privacy Act



Canada’s Anti-Spam Legislation



Controlling the Assault of Non-Solicited Pornography And Marketing

Avaamo and the EU General Data Protection Regulation (GDPR)

Avaamo is committed to complying with requirements imposed by the General Data Protection Regulation (GDPR), which took effect on 25 May 2018.


To learn more about our GDPR compliance, please read our GDPR policy.

Avaamo’s Security Features

1 data in transist@2x

Encryption – Data in transit

All data transmitted between Avaamo agents and the Avaamo conversational AI platform is done so using strong encryption protocols. Avaamo supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures.

2 data at rest@2x

Encryption – Data at rest

Avaamo’s production data at rest is encrypted using FIPS 140-2 compliant encryption standards. This applies to all types of data at rest accessed by the production systems including relational databases, file stores, database backups, etc.

3 authentication@2x

Multi-factor Authentication

To detect and prevent unauthorized access, Avaamo employs multi-factor authentication on all systems, including the development and staging systems. Avaamo also provides customers multiple Single Sign-On (SSO) options including SAML 2.0 providers.

4 pentrate@2x

Penetration Testing

Avaamo engages independent security firms to conduct application-level and infrastructure-level penetration tests at least once a year. Results of these tests are triaged, prioritized, and remediated in a timely manner by senior management. Customers can request the most recent reports from their account executive.

5 customer penetrate test@2x

Customer Driven Audits and Penetration Tests

Many Avaamo customers also run security control assessment and/or penetration testing on the Avaamo system.


New or existing customers are welcome to perform security control assessment or penetration testing on Avaamo’s system. Please contact to schedule a test.

6 compilance audit@2x

Information Security Compliance Audits

Avaamo is continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and Avaamo’s internal risk and compliance team. Audit results are shared with senior management and all findings are tracked to resolution in a timely manner.

7 network isolation@2x

Network Isolation and Security

Avaamo divides its systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Avaamo’s production systems. Sensitive customer deployments are further isolated by VPCs.


Avaamo deploys firewalls at entry points of publicly accessible systems to log, audit and detect DOS and DDOS, and prevent such attacks.

8 server rendering@2x

Server Hardening

All servers within our production fleet are hardened using the CIS (Center for Internet Security) benchmarks and have a base configuration image applied to ensure consistency across the environment.

9 respond incident@2x

Responding to Security Incidents

Avaamo has established policies and procedures for responding to potential security incidents. All security incidents are managed by Avaamo’s Security Incident Response Team (SIRT). Please contact to report any security incidents.