Trust — Avera

SOC 2 Type II

In active preparation

Auditor engaged · target Q3 '26

ISO 27001

In active preparation

target Q4 '26

Data residency

EU primary (eu-central-1)

Optional US · per-tenant isolation

Incorporated

Bern, Switzerland

GDPR · eIDAS · ZertES

Responsible AI

No training on your data

Every API call audited

01 · Security

Where we are on SOC 2 and ISO 27001.

Both are in active preparation with a named auditor. Not yet certified. We publish the milestone status here rather than implying more than we have.

SOC 2 Type II
Auditor engaged. Policies, access controls, and vendor management complete. Observation window opens Q2 '26.
Preparing · target Q3 '26
ISO 27001
ISMS documented. Internal audit scheduled for Q3 '26. Stage 1 and Stage 2 audits to follow.
Preparing · target Q4 '26
Encryption
AES-256 at rest, TLS 1.3 in transit. Per-tenant encryption keys, customer-managed option on VPC and dedicated tiers.
Live
Penetration testing
Annual third-party penetration test; remediation summaries available under NDA.
Annual
Incident response
24-hour notification SLA to primary contacts. Public post-incident summary within 5 business days for P1.
Documented

We do not claim certifications we don't hold. If a procurement team needs a named auditor or a draft report under NDA, we can share both.

02 · Compliance

Electronic signatures, audit trails, and records retention are product features, not add-ons. Validation package provided on engagement.

21 CFR Part 11
Electronic signatures, audit trail, access controls, records retention. IQ/OQ/PQ validation package provided.
Compliant
eIDAS
Qualified electronic signatures under EU eIDAS Regulation. Signature authority verified on signer onboarding.
Qualified
ZertES
Swiss qualified electronic signatures for deployments under Swiss law.
Qualified
GDPR
EU data residency primary. DPA provided. Data processing records maintained per Article 30.
Compliant
HIPAA
BAA available for US deployments where Avera processes PHI. Roadmap to HITRUST under review.
BAA on request

03 · Data residency

Primary region is Frankfurt (eu-central-1). US region available. Three isolation tiers — the customer picks the posture that matches the data.

Primary region
AWS eu-central-1 (Frankfurt). All customer data, all backups, all logs.
EU
Optional US region
AWS us-east-1 (Virginia). Available on request for US-only deployments.
Opt-in
Namespace isolation
Logical tenant separation on shared infrastructure. Default tier.
Default
VPC isolation
Dedicated VPC, dedicated compute, shared control plane. For SMEs and enterprise.
Optional
Full account isolation
Dedicated AWS account. Customer-controlled KMS keys. For enterprise and validated environments.
Optional

04 · Responsible AI

The questions every regulated buyer asks about AI — answered on the record, by default, for every tenant.

No training on customer data
Avera does not use customer data to train any model. Anthropic's zero-retention inference is enforced on all Claude calls.
Contractual
Per-item opt-in
AI use is opt-in at the node level. Projects, folders, or nodes can be marked no-AI and the UI disables AI affordances on them.
Enforced
Audit ledger
Every API transmission to Anthropic is logged: node scope, prompt template ID, timestamp, human reviewer, and disposition.
Immutable
Human approval gate
AI suggestions never write directly to Core. A human must approve, revise, or reject before anything enters the system of record.
Architectural
Model transparency
Current model: Claude via MCP. Model version surfaced in the audit record for every inference.
Surfaced

Proposals require human approval. Findings require human disposition. The AI is an assistant with a leash.

Security questionnaires

We'll answer it on the record, with pointers to the underlying controls. Draft SOC 2 report available under NDA.