Skip to main content

Risk and Vulnerability Management

Continuous Monitoring

Avoca employs a multi-layered approach to vulnerability identification and management:
  • Continuous Dependency Scanning: Automated scanning runs 24/7 on all code dependencies
  • Integrated Tooling:
    • Delve Auditor for comprehensive security assessments
    • GitHub code security tooling with Dependabot for real-time vulnerability detection
    • Vanta automated vulnerability scanning across integrated systems
  • Infrastructure-Level Protection: Cloud infrastructure providers conduct regular penetration testing programs, with security attestations shared through SOC 2 certifications

Penetration Testing Program

  • Frequency: Annual external penetration testing scheduled as part of SOC 2 control requirements
  • First Assessment: Q1 2026 as part of certification readiness activities
  • Vendor Selection: Evaluating qualified third-party security assessment providers to ensure comprehensive testing coverage
  • Scope: External-facing systems and critical infrastructure components

Vulnerability Remediation

Avoca maintains aggressive remediation timelines aligned with industry best practices:
  • Critical vulnerabilities: Addressed within 24 hours of identification
  • High-severity issues: Remediated within 72 hours
  • Medium severity: Resolved within regular update cycles (maximum 30 days)
  • Low severity: Addressed during routine maintenance windows
All remediation follows a structured process including temporary mitigations for immediate risk reduction, staging environment testing, and documented rollback procedures.

Infrastructure Hardening

Avoca implements multiple layers of security controls to minimize attack surfaces. Authentication Security
  • Professional third-party authentication services (Supabase and Google OAuth) eliminate risks of proprietary authentication vulnerabilities
  • All publicly accessible endpoints require authentication (JWT, API key, or OAuth)
  • Database endpoint protection (target completion: November 15, 2025)
DDoS Protection
  • Automated IP blacklisting through Supabase for untrusted or attacking sources
  • Rate limiting and queuing capabilities throughout the architecture
  • Serverless infrastructure design provides inherent scaling resilience
  • Web Application Firewall (WAF) evaluation in progress (ETA: Q1 or Q2 2026)
Network Architecture
  • No meaningful on-premises infrastructure to attack
  • Production and staging environments logically separated across all cloud and SaaS platforms
  • Isolation enforced at infrastructure provider level through account or project separation

Patch Management

Avoca maintains aggressive patching timelines while leveraging shared responsibility models. Application Dependencies
  • Custom application code packages updated regularly (maximum 30 days)
  • GitHub Dependabot and Vanta vulnerability scanning identify patching needs
  • Critical patches prioritized for immediate deployment
Operating Systems & Runtime Environments
  • Managed by service providers under shared responsibility model
  • Serverless and SaaS architecture eliminates direct OS management responsibility
  • Providers maintain security patching under their SLAs and compliance obligations
Third-Party Products
  • GitHub Dependabot continuously monitors for vulnerable dependencies
  • Vanta scanning identifies outdated third-party components
  • Security patches from infrastructure providers automatically applied