> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abv.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Security FAQ

> Frequently asked questions about ABV's security practices

This page addresses frequently asked questions and common security topics for ABV.

If you don't find a solution to your issue here, reach out to [security@abv.dev](mailto:security@abv.dev).

# Data Protection & Encryption

<AccordionGroup>
  <Accordion title="How is data encrypted in transit and at rest?" icon="lock">
    TLS 1.2+ protects traffic; all stored data uses AES-256 encryption. See [encryption documentation](/security/security/encryption) for more details.
  </Accordion>

  <Accordion title="Do you ever use customer data to train models or analytics?" icon="robot">
    No—customer traces and prompts are processed only to provide the ABV service and are never used to train internal or third-party ML models. See [security overview](/developer/guardrails/llm-security-guardrails-overview) for more details.
  </Accordion>

  <Accordion title="What retention, deletion and export controls exist?" icon="database">
    Each project can set its own retention window; data older than that is purged nightly, and users/API can trigger immediate deletion or export. See [data retention](/developer/platform/administration/data-retention) and [data deletion](/developer/platform/administration/data-deletion) documentation.
  </Accordion>
</AccordionGroup>

# Deployment & Infrastructure

<AccordionGroup>
  <Accordion title="Can I deploy ABV in a single-tenant environment?" icon="server">
    Yes, please contact us for pricing and setup.
  </Accordion>

  <Accordion title="How is tenant isolation enforced?" icon="users">
    Cloud tenants are logically isolated by project-level RBAC. Optional physical separation is available for enterprise clients. See [RBAC documentation](/developer/platform/administration/role-based-access-controls) for more details.
  </Accordion>

  <Accordion title="Can customers pin data to specific regions?" icon="globe">
    Yes—EU, US and HIPAA-ready US zones are available.
  </Accordion>

  <Accordion title="Where is ABV hosted and how is the perimeter protected?" icon="shield">
    ABV runs on AWS in isolated VPCs with WAF and AWS Shield for DDoS mitigation.
  </Accordion>
</AccordionGroup>

# Compliance & Certifications

<AccordionGroup>
  <Accordion title="Which audits and attestations are in place?" icon="certificate">
    ABV is ISO 27001 and ISO 42001 compliant; GDPR & HIPAA controls are implemented. See [compliance overview](/security/compliance/iso-27001-compliance) for more details.
  </Accordion>

  <Accordion title="How often are third-party pen tests performed, and are results shareable?" icon="bug">
    Independent penetration tests occur annually, plus continuous vulnerability scans. See [penetration testing](/security/security/penetration-testing) for more details and past results.
  </Accordion>
</AccordionGroup>

# Identity & Access Management

<AccordionGroup>
  <Accordion title="Which authentication options are supported?" icon="key">
    OIDC SSO, email/password, and SCIM provisioning; MFA or passkeys can be enforced via your IdP. See [authentication documentation](/security/security/authentication-authorization) for more details.
  </Accordion>

  <Accordion title="How is least-privilege enforced?" icon="user-lock">
    RBAC lets you scope roles to organisation or project. See [RBAC documentation](/developer/platform/administration/role-based-access-controls) for more details.
  </Accordion>
</AccordionGroup>

# Application Security & SDLC

<AccordionGroup>
  <Accordion title="What secure-coding and testing practices are in place?" icon="code">
    Every commit passes our CI pipeline of end-to-end, unit, and security tests.
  </Accordion>
</AccordionGroup>

# Incident Response & Business Continuity

<AccordionGroup>
  <Accordion title="What is the incident-response process?" icon="bell">
    24 × 7 monitoring triggers an on-call engineer; affected customers are notified and post-mortems are published for larger incidents. See [Incident & Breach](/security/security/incident-breach) documentation for more details.
  </Accordion>
</AccordionGroup>

# Vulnerability & Pen-Testing

<AccordionGroup>
  <Accordion title="How is the disclosure program run?" icon="shield-halved">
    ABV maintains a public responsible-disclosure policy; CVSS drives remediation SLAs. See [penetration testing](/security/security/penetration-testing) for more details.
  </Accordion>

  <Accordion title="Can customers run their own pen-tests?" icon="vial">
    No.
  </Accordion>
</AccordionGroup>

# Sub-processors & Third-Party Risk

<AccordionGroup>
  <Accordion title="Which sub-processors have access to customer data?" icon="link">
    Please contact [privacy@abv.dev](mailto:privacy@abv.dev) for the current list of sub-processors.
  </Accordion>
</AccordionGroup>

# AI / LLM-Specific Concerns

<AccordionGroup>
  <Accordion title="Does ABV store PII or trade secrets from prompts?" icon="eye">
    ABV stores the data as-is. You can redact sensitive data via [data masking](/developer/basic-features/masking-sensitive-data).
  </Accordion>

  <Accordion title="Can long-term retention be disabled?" icon="calendar">
    Yes—you can configure custom [data retention](/developer/platform/administration/data-retention) policies.
  </Accordion>

  <Accordion title="Is prompt/trace data ever used for benchmarking or training?" icon="chart-line">
    No. ABV does not repurpose customer data for external benchmarks or model training. See [security overview](/developer/guardrails/llm-security-guardrails-overview) for more details.
  </Accordion>
</AccordionGroup>

# Governance, People & Culture

<AccordionGroup>
  <Accordion title="How are employees vetted and trained?" icon="user-check">
    All staff pass background checks, sign NDAs and complete security training. See [ISO 27001 compliance](/security/compliance/iso-27001-compliance) and [ISO 42001 compliance](/security/compliance/iso-42001-compliance) for more details.
  </Accordion>

  <Accordion title="Who owns security inside ABV?" icon="user-shield">
    ABV CISO leads security efforts at ABV and reviews risk quarterly and drives continuous improvement. See [ISO 27001 compliance](/security/compliance/iso-27001-compliance) and [ISO 42001 compliance](/security/compliance/iso-42001-compliance) for more details.
  </Accordion>
</AccordionGroup>
