Skip to main content

How We Protect Your Data

Understanding how your data is protected helps you make informed decisions about using ABV in your security-sensitive applications.
All data is encrypted both in transit and at rest using industry-standard protocols:
  • In Transit: TLS (Transport Layer Security) for all network communications
  • At Rest: AES-256 encryption for all stored data across databases, caches, and blob storage
This means your LLM traces, prompts, and evaluation data are protected from unauthorized access at every stage of their lifecycle.
We implement multiple layers of access control to ensure only authorized users can access your data:
  • Enterprise SSO: OIDC-based single sign-on with providers like Okta and Azure AD
  • Role-Based Access Control (RBAC): Granular permissions at organization and project levels
  • SSO Enforcement: Optional requirement for domain-based SSO usage
  • Multi-Factor Authentication: Additional security for sensitive operations
Learn more about our authentication and authorization mechanisms.
We don’t wait for security issues to find us—we actively hunt for them:
  • Annual External Penetration Tests: Independent security experts simulate real-world attacks
  • Vulnerability Management: Continuous scanning and rapid remediation
  • ISO 27001 Audits: Annual third-party audits of our information security management system
Customers on Pro and Enterprise plans can request access to our penetration test reports.
Choose where your data lives and how it’s isolated:
  • Regional Deployment: US (Virginia), EU (Ireland), and dedicated HIPAA regions
  • Multi-Tenant SaaS: Secure isolation in shared infrastructure
  • Single-Tenant Options: Dedicated environments for enterprise customers
Your data stays in your chosen region and is never shared between organizations.
We build privacy into every feature:
  • Data Masking: Automatically redact sensitive information from traces
  • Data Retention Controls: Configure how long data is stored
  • Data Deletion: Delete specific traces, projects, or entire organizations
  • Minimal Data Collection: We only collect what’s necessary for the service
Learn more about managing personal data in ABV.

Compliance Certifications

We maintain active compliance with industry-standard frameworks to meet your regulatory requirements.
Our information security management system (ISMS) is certified to ISO 27001 standards, with annual third-party audits validating our security controls, risk management, and incident response processes.View ISO 27001 details
We align with ISO 42001, the international standard for AI management systems, ensuring responsible AI development, deployment, and governance.View ISO 42001 details
For healthcare organizations, ABV offers HIPAA-aligned infrastructure with Business Associate Agreements (BAA) to protect Protected Health Information (PHI).View HIPAA details
We comply with the General Data Protection Regulation (GDPR), offering data processing agreements (DPA) and comprehensive controls for managing personal data.View GDPR details
We align with the EU’s NIS2 Directive for network and information security, implementing comprehensive cybersecurity measures and incident reporting.View NIS2 details

Infrastructure & Deployment

Deployment Models

Choose the deployment model that fits your security and compliance requirements:
ModelDescriptionBest For
Multi-TenantSecure, isolated tenants in shared infrastructureMost organizations—fast deployment, managed updates
Single-TenantDedicated environment with isolated resourcesEnterprise customers only

Infrastructure Details

Cloud Provider: AWS and ClickHouse via AWS Regions:
  • US Region: us-east-1 (Virginia)
  • EU Region: eu-west-1 (Ireland)
  • HIPAA Region: Dedicated infrastructure for healthcare compliance
Services Encrypted at Rest:
  • Elasticache (Redis) - AES-256
  • Aurora (PostgreSQL) - AES-256
  • ClickHouse - AES-256
  • S3 / Blob Storage - AES-256

Transparency & Reporting

We believe in security through transparency. We maintain clear channels for security reporting and provide visibility into our security practices.
We welcome security researchers to help us identify and fix vulnerabilities. Our responsible disclosure program provides clear guidelines for reporting security issues confidentially.View our responsible disclosure policy
In the unlikely event of a security incident, we have a comprehensive incident response plan that includes:
  • Immediate containment and investigation
  • Customer notification within required timeframes
  • Root cause analysis and remediation
  • Post-incident review and improvements
Learn about our incident response
We maintain a confidential whistleblowing channel for reporting concerns about security, privacy, ethics, or compliance.View whistleblowing information
We provide access to security documentation for customers:
  • Penetration test reports (Pro/Enterprise)
  • ISO 27001 certificates
  • Data Processing Agreements
  • Business Associate Agreements (HIPAA)
Contact [email protected] to request access.

Internal Policies

Our compliance program is based on comprehensive internal policies covering every aspect of security, privacy, and AI governance. View our complete policy list.

Next Steps

Explore specific areas of our security and compliance program:

Authentication & Authorization

Learn about SSO, RBAC, and access controls

Encryption

Understand how we encrypt data in transit and at rest

GDPR Compliance

Review our GDPR compliance and data protection

HIPAA Compliance

See how we support healthcare organizations