Security

1. Introduction

At Avian Data Inc. ("Avian", "we", "our", or "us"), we prioritize the security of the data you entrust to us. This page describes the technical, organizational, and operational measures we maintain to protect your information when you use our AI inference API and related services (the "Services").

2. Encryption

2.1 In transit

All communications between your systems and Avian—including API requests, website interactions, and account management—are encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and do not support unencrypted connections.

2.2 At rest

Any data that is persisted (such as account information and billing records) is encrypted at rest using AES-256 encryption. Encryption keys are managed through dedicated key management services with strict access controls.

3. Zero Data Retention

We do not log, store, or cache the content of your API requests (prompts) or API responses (completions). Your input and output data is processed in memory and is not written to persistent storage. Once a response is delivered, no record of the content exists in our systems.

We log only request metadata—timestamps, model selected, and token counts—for billing, rate limiting, and service monitoring. This metadata never includes prompt or completion content.

4. Infrastructure Security

• Cloud hosting: Our services run on hardened, isolated cloud infrastructure with automated patching and vulnerability scanning.
• Network segmentation: Production systems are isolated from development and corporate environments using strict network controls.
• DDoS mitigation: We employ multi-layer DDoS protection at the network and application layers to ensure availability.
• Monitoring: We operate 24/7 infrastructure monitoring with automated alerting for anomalous activity, performance degradation, and security events.

5. Access Controls

• Least privilege: All internal access follows the principle of least privilege. Employees and systems are granted only the minimum permissions necessary.
• Multi-factor authentication: MFA is required for all employees accessing production systems and administrative tools.
• API key security: API keys are hashed before storage. We never store or display your full API key after initial generation.
• Connector permissions: When you authorize third-party connectors, you authenticate directly with the connector provider—Avian requests only the minimum scopes necessary.

6. Security Audits and Compliance

We conduct regular internal and third-party security assessments, including penetration testing and code reviews. Avian is in the process of obtaining SOC 2 Type II certification.

We comply with applicable data protection regulations, including GDPR and CCPA/CPRA, and maintain processes to respond to data subject requests. For details, see our Privacy Policy.

7. Incident Response

We maintain a documented incident response plan that covers detection, containment, investigation, and remediation of security events. In the event of a confirmed data breach, we will:

• Notify affected customers promptly and in accordance with applicable law.
• Provide details about the nature and scope of the incident.
• Describe the remediation steps taken and any actions customers should take.

8. Employee Security

All employees complete security awareness training upon hire and on an ongoing basis. Training covers data protection, phishing awareness, secure development practices, and incident reporting. Access to production systems is logged and reviewed regularly.

9. Responsible Disclosure

If you discover a security vulnerability in our Services, we encourage responsible disclosure. Please report it to security@avian.io. We will acknowledge receipt within 48 hours and work to address confirmed vulnerabilities promptly.

10. Contact Us

For security questions or concerns, contact us:

• Email: security@avian.io
• Company: Avian Data Inc., a Delaware corporation