Security Program Overview
Executive Summary
Avoca maintains a comprehensive, defense-in-depth security posture built on SOC 2-compliant infrastructure with active progression toward SOC 2 Type II certification. Our security program combines enterprise-grade cloud infrastructure, continuous automated monitoring, and rigorous access controls to protect customer data while maintaining the agility expected of an innovative healthcare technology platform.Organizational Security Leadership
Senior Cybersecurity Leadership- Position: Engineering Lead / IT Manager with direct security oversight responsibility
- Reporting Structure: Reports directly to CEO/CTO, ensuring security considerations are integrated at the executive decision-making level
- Team Composition: Managing one dedicated contractor resource alongside a full-time engineering resource with security responsibilities, appropriately scaled for our current operational phase
- External Expertise: Engaged Pileum as virtual CISO (vCISO) provider, delivering enterprise-level strategic security guidance and oversight
Third-Party Security Management
Avoca leverages specialized third-party providers to augment internal security capabilities. Security Service Providers- Pileum: Virtual CISO services, Mobile Device Management, security training
- Vanta: Compliance platform serving as source of record for SOC 2 controls and audit readiness
- Infrastructure Providers: All maintain current SOC 2 Type II certifications
- Full-time employees and contractors subject to identical security requirements
- MDM deployment ensures device-level security compliance (organization-wide rollout: November 31, 2025)
- SOC 2 policies apply uniformly to all personnel regardless of employment classification
- Background checks conducted for all personnel with system access
Cybersecurity Insurance Coverage
Avoca maintains 5,000,000 dollars in cybersecurity insurance coverage, providing financial protection and risk transfer for potential security incidents. This coverage demonstrates our commitment to risk management and provides additional assurance to customers regarding preparedness for potential security events.SOC 2 Certification Status
Type I Certification — Near-Term Completion SOC 2 Type I report will be available within the coming weeks, validating the design of Avoca’s security controls against Trust Services Criteria. This formal assessment demonstrates our commitment to security and compliance standards through independent third-party validation. Type II Certification — In Progress- Estimated completion: December 15, 2025
- Core security controls operational and aligned with SOC 2 requirements
- Documentation and processes prepared for audit readiness
- Control reviews conducted regularly to maintain alignment
- Certified infrastructure foundations across database, hosting, and source control providers
Identity Stack
Avoca does not utilize Microsoft Azure or Azure Active Directory in the infrastructure stack. Identity and access management is built on Google Workspace with SSO or SAML integrations, supplemented by Supabase and Google OAuth for application-level authentication.Customer Impact
Enterprise-Grade Security at Startup Speed- Certified infrastructure: SOC 2 Type II certified providers across all critical systems
- Continuous monitoring: Around-the-clock automated vulnerability scanning and threat detection
- Defense in depth: Multiple layers of security controls across network, application, and data layers
- Transparent progress: Clear timelines and commitment to formal certification completion
- Expert guidance: Virtual CISO oversight ensures enterprise-level security strategy
- Financial backing: Five million dollars in cybersecurity insurance demonstrates risk management commitment
- SOC 2 Type II certification completion (December 15, 2025)
- Enhanced penetration testing programs (Q1 2026)
- Advanced WAF capabilities (Q1 or Q2 2026)
- Expanded MDM deployment and automated access management (Q4 2025 through Q1 2026)
- Multi-region backup capabilities (Q2 or Q3 2026)