Avokaado Compliance & Security

At Avokaado, protecting your data is at the core of our platform. We are committed to meeting the highest legal, security, and privacy standards to ensure your data is processed, stored, and accessed in a secure and compliant way.

Data Protection & GDPR Compliance

Avokaado is fully compliant with the EU General Data Protection Regulation (GDPR). We act as a data processor when handling data on behalf of our customers and as a data controller for user data related to platform delivery and operation.

We have implemented strict internal data protection policies, including:

  • Role-based access control
  • Signed confidentiality agreements with employees
  • Separation of client environments
  • Strong data minimization and retention rules

Data Protection Officer

Our CEO, a licensed attorney and member of the Estonian Bar Association, serves as Avokaado’s Data Protection Officer (DPO). The DPO ensures our practices remain aligned with GDPR and other data protection frameworks. For questions or concerns, you can contact us at:
mariana@avokaado.com

Hosting & Data Storage

Avokaado runs on Google Cloud Platform (GCP), with data hosted in EU data centers in Frankfurt (europe-west3) and Zurich (europe-west6). All data is encrypted at rest and in transit using AES-256 encryption and TLS 1.2.

We support both cloud and on-premise deployments.

  • Cloud clients benefit from fully managed secure infrastructure.
  • On-premise clients host data within their own infrastructure and control all compliance responsibilities locally. Avokaado does not access or store data in those environments.

For cross-border data transfers, we use Standard Contractual Clauses (SCCs) and ensure legal safeguards are in place.

Security Architecture

We implement strong security measures throughout the platform:

  • AES-256 encryption for data at rest
  • TLS 1.2 with SHA-2 for data in transit
  • SHA-512 password hashing
  • IP restrictions and firewall protections
  • Daily automated encrypted backups
  • Strict internal deployment controls (limited to CEO and CTO)
  • Secure credential management via 1Password
  • Activity logging and audit trails with 6-month retention

We operate with a 24-hour Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

Subprocessors

Avokaado uses a limited number of trusted subprocessors:

  • Google Cloud Platform – secure cloud hosting
  • Microsoft Azure – used for private AI deployments
  • SignNow and Dokobit – electronic signature providers

Our full subprocessor list is available here: https://avokaado.io/subprocessors

We do not transfer personal data outside the EEA without legal basis or explicit written consent from the customer.

AI and Data Privacy

Avokaado’s AI features are developed with data privacy by design. No data is transmitted to public AI services.

We offer two AI deployment models:

  • Cloud-based AI (Azure OpenAI in Germany)
  • On-premise AI (self-hosted LLaMa2 models)

Key safeguards include:

  • GDPR-compliant hosting jurisdictions
  • Data segregation between workspaces and customers
  • No use of data for AI training without customer consent

Certifications and Compliance Roadmap

While Avokaado is not currently ISO-certified, our infrastructure partners (GCP and Azure) hold:

  • ISO/IEC 27001
  • SOC 2 Type II
  • HIPAA (for healthcare integrations)

We are on track to complete SOC 2 Type II certification in Q3 2025.

Legal Basis and Data Rights

We rely on lawful processing bases including contract, legal obligation, consent, and legitimate interest.
We support all data subject rights under GDPR, including:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Portability
  • Objection

Retention and Deletion

Personal data is only retained as long as necessary.
Customers can configure retention settings or request full deletion.
Data is securely erased upon contract termination or upon request.

Breach Notification

We maintain a strict data breach policy and response plan.
Customers will be notified without undue delay in accordance with GDPR Articles 33 and 34.
On-premise customers are responsible for managing their own breach response.

Transparency and Control

Avokaado customers have full control over their data:

  • No data shared with third parties without legal basis
  • Full access to modify, delete, or export data
  • No use of data for commercial profiling or marketing without consent

Cookies

We use cookies for essential functionality and performance analytics.
For full details, see our Cookies Policy

Sign in
Product
Use cases
Industries
Integrations
Resources
Company
Terms of serviceSecurity policyCookies policy