Security FAQ

this page addresses frequently asked questions and common security topics for abv if you don’t find a solution to your issue here, reach out to security\@abv dev how is data encrypted in transit and at rest? tls 1 2+ protects traffic; all stored data uses aes‑256 encryption see encryption docid 2efxh8dyv fk0igc3xv9l for more details do you ever use customer data to train models or analytics? no—customer traces and prompts are processed only to provide the abv service and are never used to train internal or third‑party ml models see security overview for more details what retention, deletion and export controls exist? each project can set its own retention window; data older than that is purged nightly, and users/api can trigger immediate deletion or export see data retention and data deletion documentation can i deploy abv in a single tenant environment? yes, please contact us for pricing and setup how is tenant isolation enforced? cloud tenants are logically isolated by project‑level rbac optional physical separation is available for enterprise clieints see rbac documentation for more details can customers pin data to specific regions? yes—eu, us and hipaa‑ready us zones are available compliance & certifications which audits and attestations are in place? abv is iso 27001 and iso 42001 compliant; gdpr & hipaa controls are implemented see iso 27001 compliance docid\ r57urz7ptjurmj xgehrc for more details how often are third‑party pen tests performed, and are results shareable? independent penetration tests occur annually, plus continuous vulnerability scans see penetration testing for more details and past results identity & access management which authentication options are supported? oidc sso, email/password, and scim provisioning; mfa or passkeys can be enforced via your idp see auth documentation for more details how is least‑privilege enforced? rbac lets you scope roles to organisation or project see rbac documentation for more details infrastructure & network security where is abv hosted and how is the perimeter protected? abv runs on aws in isolated vpcs with waf and aws shield for ddos mitigation application security & sdlc what secure‑coding and testing practices are in place? every commit passes our ci pipeline of end to end, unit, and security tests incident response & business continuity what is the incident‑response process? 24 × 7 monitoring triggers an on‑call engineer; affected customers are notified and post‑mortems are published for larger incidents see incident & breach docid\ sceaffe5rcsjpgkmsiygn documentation for more details vulnerability & pen‑testing how is the disclosure program run? abv maintains a public responsible‑disclosure policy; cvss drives remediation slas see penetration testing docid\ fw3phekpnttsy9xs6u2tw for more details can customers run their own pen‑tests? no sub‑processors & third‑party risk which sub‑processors have access to customer data? the live list is published subprocessors docid\ fcnrfhjmjybi8yeuxixkp ai / llm‑specific concerns does abv store pii or trade secrets from prompts? abv stores the data as is you can redact sensitive data via data masking can long‑term retention be disabled? yes—you can configure custom data retention policies is prompt/trace data ever used for benchmarking or training? no abv does not repurpose customer data for external benchmarks or model training see security overview for more details governance, people & culture how are employees vetted and trained? all staff pass background checks, sign ndas and complete security training see iso 27001 compliance docid\ r57urz7ptjurmj xgehrc and iso 42001 compliance docid\ og6hgwxv2sgio9nfaxra2 for more details who owns security inside abv? abv ciso leads security efforts at abv and reviews risk quarterly and drives continuous improvement see iso 27001 compliance docid\ r57urz7ptjurmj xgehrc and iso 42001 compliance docid\ og6hgwxv2sgio9nfaxra2 for more details