Encryption at rest & in transit
All data is encrypted with AES-256 at rest. Every connection is TLS 1.2+ enforced. Evidence artefacts carry SHA-256 integrity checksums.
API key security
API keys are hashed before storage. Keys are never logged. Rotate or revoke keys at any time from your account settings.
Audit logging
Every action in AuditVault — logins, control updates, evidence uploads, report generation — is logged with timestamp and user attribution.
Infrastructure security
Your data is hosted in secure, redundant infrastructure with multiple layers of protection. We maintain high availability across geographically separated facilities.
Access controls
Who can see your data
AuditVault enforces role-based access control (RBAC) at every layer. Our engineering team has no standing access to customer data.
- Multi-factor authentication enforced for all AuditVault staff.
- Customer data is logically isolated per organization — no cross-tenant access.
- Third-party sub-processors are contractually bound to equivalent data protection standards.
- Annual internal security reviews and periodic penetration testing.
Incident response
If something goes wrong
We maintain an incident response plan with defined severity levels and post-mortem process. In the event of a data breach, we will notify you within 72 hours.
To report a security vulnerability, email support@auditvault.co with subject "Security Disclosure".