Skip to main content

Data Protection and Privacy

Encryption Standards

Avoca implements comprehensive encryption across all data states. Data at Rest
  • Industry-standard AES-256 encryption for all stored data
  • Database-level encryption provided by infrastructure providers (Supabase and AWS)
  • Encryption key management handled by certified infrastructure providers
Data in Transit
  • TLS 1.2 minimum for all data transmission
  • HTTPS enforced on all API endpoints
  • SSL required for all database connections
  • No unencrypted data transmission permitted
Data Segmentation & Isolation
  • Team or Customer-Level Isolation: All database queries require team or customer ID authentication
  • Architectural Prevention: System architecture prevents cross-customer data access at the query level
  • No Hardware Isolation Required: Row-level security provides equivalent protection without multi-tenancy complexity

Regulatory Compliance Support

Regulatory Coverage Avoca maintains compliance alignment with HIPAA (if applicable), GDPR, and CCPA/CPRA obligations and supports customers pursuing SOC 2 assurance. Data Minimization
  • Only request/store data necessary for booking operations
  • Retain customer data only as required for operations
  • Option to anonymize historical data for analytics
Right to Deletion (GDPR/CCPA) 
DELETE /api/v1/customers/{customer_id}
POST /api/v1/customers/{customer_id}/gdpr-delete
Purpose: Complete customer data deletion
Response: Confirmation with deletion_id for audit trail Right to Access 
GET /api/v1/customers/{customer_id}/data-export
Purpose: Export all customer data
Response: Portable JSON data package
Data Retention Policies
  • Define retention periods for bookings, customer data, logs
  • Automatic data purging post-retention period
  • Legal hold capabilities
Consent Management
  • Track customer consent preferences
  • Respect marketing opt-ins/opt-outs
  • Manage data sharing preferences