Skip to main content

Governance, Policy, and Compliance

Policy Framework

Avoca is completing a documented suite of cybersecurity policies and procedures with an established completion target of November 15, 2025. These policies are being developed within Vanta, our centralized compliance and security management platform, ensuring:
  • Expert Guidance: Virtual CISO oversight throughout policy development ensures alignment with industry best practices and risk-appropriate controls
  • Audit Readiness: SOC 2 auditor involvement throughout the policy creation process validates that our documented controls appropriately address our organizational risk profile
  • Legal Review: Comprehensive legal review ensures policies meet regulatory requirements and contractual obligations
  • Living Documentation: Vanta serves as our authoritative source of record, enabling continuous policy refinement and version control

Incident Response & Business Continuity

Comprehensive incident response and disaster recovery plans are in development as part of our broader policy initiative (ETA: November 15, 2025), covering:
  • Cyber incident detection, containment, and remediation procedures
  • Communication protocols for internal and external stakeholders
  • Business continuity and disaster recovery strategies aligned with our cloud-first architecture
  • Post-incident analysis and continuous improvement processes
These plans are being developed with input from our vCISO, legal counsel, and SOC 2 auditor to ensure comprehensive coverage of potential scenarios and regulatory requirements.

Regulatory Commitments

Avoca maintains compliance with HIPAA (if applicable), GDPR, and CCPA/CPRA requirements and is progressing toward SOC 2 Type II completion on December 15, 2025. Customer-Facing Agreements
  • Data Processing Agreement commits to prompt disclosure of incidents as soon as commercially and practically possible
  • Legal counsel guides all regulatory interpretations and policy decisions
  • Compliance requirements flow through vendor contracts and customer agreements

Breach Disclosure & Incident Communication

Avoca is developing formal breach disclosure policies with legal guidance (ETA: November 31, 2025) that prioritize transparent, timely communication. Current Posture
  • Data Processing Agreement commits to disclosure as soon as commercially and practically possible
  • Legal counsel advises on regulatory requirements and best practices
  • Incident response procedures are being formalized as part of SOC 2 policy development
Communication Principles
  • Rapid notification to affected parties
  • Transparent disclosure of incident scope and impact
  • Clear guidance on protective actions for affected individuals
  • Regular updates throughout incident response and remediation