Security at Aivrum
Your data — and your customers' data — is our highest responsibility. Here is exactly how we protect it.
Last updated: June 8, 2026
SOC 2 Type II
Annual audit by an independent CPA firm verifying our security, availability, and confidentiality controls.
ISO 27001
Information Security Management System certified against the international standard.
GDPR Compliant
Fully compliant with the EU General Data Protection Regulation and UK GDPR.
UAE PDPL
Compliant with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection.
PCI DSS
Payment card data is handled exclusively through PCI DSS-certified processors — we never store raw card numbers.
TLS 1.3
All data in transit is encrypted using Transport Layer Security 1.3 or higher.
Encryption at Rest and in Transit
All stored data — including call recordings, transcripts, and customer records — is encrypted using AES-256. All data transmitted between your browser, our APIs, and third-party integrations uses TLS 1.3. Encryption keys are managed through a dedicated key management service with automatic rotation.
Infrastructure and Hosting
Our platform runs on enterprise-grade cloud infrastructure across geographically redundant data centres in the EU and US. We use network isolation, private VPCs, and firewall rules to restrict access to internal services. Infrastructure is managed with infrastructure-as-code and all changes go through automated review pipelines.
Access Controls
We enforce the principle of least privilege across all internal systems. Employee access to production data is role-based, requires multi-factor authentication (MFA), and is reviewed quarterly. Privileged access to production environments is logged, monitored, and requires explicit justification.
Penetration Testing and Vulnerability Management
We conduct annual third-party penetration tests against our production environment and address all critical and high-severity findings within defined SLAs (critical: 24 hours; high: 7 days). We also run continuous automated vulnerability scanning and subscribe to CVE feeds relevant to our technology stack.
Security Monitoring and SIEM
All production systems emit logs to a centralised Security Information and Event Management (SIEM) platform. We monitor for anomalous authentication activity, unusual data access patterns, and known attack signatures 24/7 with automated alerting and an on-call security rotation.
Secure Development Lifecycle
Security is built into every stage of our development process. We conduct threat modelling for new features, require peer code review before any code reaches production, run automated static analysis and dependency scanning in our CI/CD pipeline, and train all engineers annually on secure coding practices.
What Happens If There Is a Breach?
We maintain a documented incident response plan that is tested annually. Our commitments in the event of a confirmed data breach are:
Internal triage team activated; incident severity classified; affected systems isolated.
Affected clients notified by email with a summary of what occurred, what data was involved, and what we are doing about it.
Regulatory notification submitted to the relevant data protection authority where required by GDPR or applicable law.
Full incident post-mortem published internally; root cause remediated; preventive controls updated.
Primary data storage is in EU-based data centres. Call processing may involve infrastructure in the United States and United Arab Emirates. All cross-border transfers are covered by EU Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.
We maintain a current list of sub-processors — the third-party vendors who process personal data on our behalf — and update it whenever we onboard a new provider. Clients may request the full sub-processor list by emailing security@aivrum.com. We provide at least 14 days' notice before adding a new sub-processor that processes client personal data.
All sub-processors are assessed against our vendor security requirements before onboarding and reviewed annually thereafter.
Responsible Disclosure
If you believe you have discovered a security vulnerability in our platform, we ask that you report it to us responsibly before disclosing it publicly. We commit to acknowledging your report within 24 hours and working with you to resolve valid issues promptly.
Report a Vulnerability — security@aivrum.comWe do not pursue legal action against good-faith security researchers who follow responsible disclosure practices.