Security
Last updated: July 8, 2026
INFRASTRUCTURE SECURITY
The AVIR platform, operated by Lansar Industries, Inc., runs on managed cloud infrastructure provided by Vercel (frontend and edge delivery) and Supabase (backend, database, and authentication). Both providers maintain SOC 2 Type II attestations, and we inherit the physical and environmental controls of their underlying data centres.
Our network architecture separates public-facing services from internal data stores. Application traffic terminates at a hardened edge before reaching backend services, and database instances are not directly exposed to the public internet.
- DDoS mitigation and edge filtering are provided at the network perimeter by our hosting providers.
- Backend services are reachable only over authenticated, encrypted connections.
- Regional hosting is aligned to customer requirements, allowing data to be pinned to specific geographies where contractually required.
- Infrastructure changes are managed through version-controlled configuration and reviewed before deployment.
APPLICATION SECURITY
Security is built into our software development lifecycle rather than added afterwards. Changes to the AVIR platform move through source control, automated checks, and human review before they reach production.
- All code changes require peer review and pass automated tests before merge.
- Dependencies are continuously scanned for known vulnerabilities, and critical advisories are triaged on receipt.
- Static analysis and secret-scanning run in our continuous integration pipeline to catch issues early.
- Discovered vulnerabilities are tracked to remediation with severity-based service levels, prioritising critical and high-risk findings.
DATA ENCRYPTION
Customer data is encrypted throughout its lifecycle, both while stored and while moving across networks.
- Data at rest is encrypted using AES-256.
- Data in transit is protected with TLS 1.3, and connections to our databases are encrypted.
- Encryption keys are managed by our cloud providers with regular rotation and strict access controls.
- Application secrets and API keys are stored in encrypted environment variables and are never committed to source code.
ACCESS MANAGEMENT
Access to the AVIR platform and to our internal systems follows the principle of least privilege: users and staff receive only the access required to perform their role.
- Single sign-on (SSO) is supported for enterprise customers.
- Multi-factor authentication (MFA) is available for account access and required for privileged internal systems.
- Role-based access control (RBAC) enforces permissions at both the platform level and the programme level.
- Sessions are managed with automatic timeout and re-authentication for sensitive operations.
MONITORING AND LOGGING
We continuously monitor the AVIR platform for anomalous and potentially malicious activity, and we retain detailed records to support investigation and accountability.
- Security events are aggregated into a security information and event management (SIEM) pipeline for correlation and alerting.
- Audit trails capture user actions and API calls across the platform.
- Logs are retained in line with our retention policy and applicable regulatory requirements, and access to them is restricted.
- Alerts on suspicious activity are routed to our security team for review.
COMPLIANCE CERTIFICATIONS
We maintain a compliance programme designed to meet the expectations of aerospace and enterprise customers operating across multiple jurisdictions.
- SOC 2 Type II: in progress.
- GDPR: compliant.
- ISO 27001: planned.
Data residency is configurable for the EU and US to support local requirements. We respond to customer security questionnaires and provide evidence packs and supporting documentation on request.
BUSINESS CONTINUITY
We maintain backup and disaster recovery procedures to protect against data loss and to restore service in the event of an outage.
- Databases are backed up on a regular, automated schedule, with point-in-time recovery available.
- Backups are encrypted and stored with the same protections as production data.
- Recovery procedures are documented and periodically tested.
- We target a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) commensurate with the criticality of the affected systems, and we review these targets with enterprise customers under contract.
INCIDENT RESPONSE
We maintain a defined incident response process covering detection, containment, eradication, recovery, and post-incident review.
- Detection draws on monitoring, alerting, and reports from staff, customers, and researchers.
- On confirmation of an incident, we act to contain and remediate the issue and to preserve relevant evidence.
- Where a personal data breach is confirmed, we notify affected customers and, where applicable, supervisory authorities within 72 hours in line with GDPR requirements.
- Every significant incident is followed by a post-incident review to identify root causes and drive corrective action.
EMPLOYEE SECURITY
Our people are a core part of our security posture, and we apply controls across the employment lifecycle.
- Background checks are conducted on employees where permitted by law and appropriate to the role.
- Staff complete security awareness training on joining and on a recurring basis thereafter.
- Access to systems and customer data is granted on a least-privilege basis and reviewed periodically.
- Offboarding procedures ensure that access is revoked promptly when a person leaves or changes role.
VENDOR MANAGEMENT
We evaluate the security and privacy practices of third parties before entrusting them with customer data, and we monitor them on an ongoing basis.
- Subprocessors are assessed for their security posture and compliance standing before onboarding.
- Data processing agreements are put in place with vendors that handle personal data.
- Vendor relationships are reviewed periodically, and material changes to a vendor's risk profile are reassessed.
PHYSICAL SECURITY
The AVIR platform runs entirely on cloud infrastructure, so the physical security of the underlying data centres is inherited from our SOC 2 Type II hosting providers, Vercel and Supabase. Their facilities implement controls including 24/7 monitoring, biometric and multi-factor access, and environmental protection.
Within Lansar Industries, our own offices apply access controls to premises and equipment, and company devices are managed and encrypted.
RESPONSIBLE DISCLOSURE
We welcome reports from the security research community and are committed to working with researchers to verify and remediate legitimate findings.
- A formal bug bounty programme is coming; in the meantime we operate a coordinated disclosure process.
- To report a vulnerability, email security@avir.space with enough detail to reproduce the issue.
- We acknowledge reports within 48 hours and will keep you informed as we investigate.
- We ask that researchers avoid accessing or modifying customer data and give us reasonable time to remediate before any public disclosure.
CONTACT
For any security question, disclosure, or documentation request, contact our security team. Evidence packs and security documentation are available on request.
Security contact
security@avir.space
Legal entity
Lansar Industries, Inc.
1511 3rd Ave, Suite 1002-1044
Seattle, WA 98101
United States