Security & Vulnerability Disclosure

Effective date: May 12, 2026

Avaplicity, Inc. ("Avaplicity") is committed to protecting the security, integrity, and availability of our phone-first call workflows, website, optional web or iOS surfaces, and related services (the "Services"). This page describes our security posture at a high level and how to responsibly disclose security issues to us.

Contact

Security contact: privacy@avaplicity.com

For non-security inquiries, see our Privacy Policy.

Security overview

•Hosting & network: AWS (us-east-2) with EKS for container orchestration; ALB ingress with TLS 1.2/1.3; Route53 DNS; ACM certificates.
•Data protection: Encryption in transit (TLS) and at rest (AWS KMS). Secrets via AWS Secrets Manager and synced with External Secrets Operator. Minimal data retention for diagnostics.
•Access control: Principle of least privilege; IAM Roles for Service Accounts (IRSA); OIDC-based CI/CD to avoid long-lived keys.
•Application security: Non-root containers, read-only filesystems, dropped Linux capabilities, network policies with egress-only defaults, IMDS access blocked, zero-trust segmentation.
•Change management: GitOps with ArgoCD, Kustomize overlays, progressive rollouts, zero-downtime deployment strategy, health/readiness probes, kill-switch feature flag.
•Observability & incident response: Sentry for application errors, crashes, release health, and selected traces; Better Stack for uptime, heartbeats, private status page, and incident routing; structured logging with correlation IDs.
•Data stores: MongoDB Atlas (primary DB), Redis (cache/locks) for ephemeral caching. Backup and restore procedures are maintained and tested periodically.
•Optional mobile & future entitlements: optional iOS surfaces may use APNs push delivery; RevenueCat may support future subscription entitlements if paid plans launch.
•AI & telephony providers: OpenAI (AI inference / live conversation processing, if applicable) and Twilio (telephony, call routing, callback handling, and carrier lifecycle). We configure providers to process content solely to deliver services and opt out of model training where available.
•Analytics: PostHog for product/website analytics; LaunchDarkly for feature flags. No interest-based ad tech.

Responsible vulnerability disclosure

We welcome good-faith reports of security issues. If you believe you've found a vulnerability, please email privacy@avaplicity.com with the subject line "Vulnerability Report: [short title]" and include:

•Impacted domain/app, endpoint or component, and environment (prod/stg if known).
•Detailed steps to reproduce; minimal proof-of-concept; screenshots or logs.
•Observed impact and suggested severity (CVSS v3.1 vector if you use it).
•Your contact info for coordination.

Please do not share details publicly until we confirm a fix or provide coordinated disclosure timing.

Safe harbor (good-faith research)

If you follow the guidelines below, we will not pursue legal action or contact law enforcement regarding your research, and we will consider your testing authorized for the limited purpose of responsible disclosure:

•Only test against assets in scope (see "Scope").
•Avoid privacy harm: do not access, modify, or exfiltrate data that is not your own. If you inadvertently access data, stop immediately and report.
•No service disruption: do not perform DDoS, brute-force, spam, resource exhaustion, or any testing that degrades availability.
•No social engineering, phishing, physical intrusion, or threats of any kind.
•No extortion or ransom demands; your communication must be in good faith.

This safe-harbor promise does not apply to actions that violate laws beyond what is necessary for legitimate testing or to testing outside the defined scope.

Scope

In scope

•Public web properties under avaplicity.com (e.g., www.avaplicity.com).
•Public API and agent endpoints served by Avaplicity (e.g., api.avaplicity.com, agent.avaplicity.com).
•Telephony callback endpoints and related public API surfaces controlled by Avaplicity.
•The Avaplicity iOS app (current App Store version and latest TestFlight build, if provided to you).

Out of scope

•Third-party platforms and providers (e.g., AWS, OpenAI, Twilio, Apple, Google/Firebase, RevenueCat, PostHog, Sentry, Better Stack, LaunchDarkly, Vercel). Report issues to those vendors directly unless the issue stems from our configuration.
•Denial-of-service, volumetric testing, or traffic floods.
•Automated scanning that generates excessive traffic or alerts.
•Social engineering, phishing, physical security testing.
•Clickjacking on non-sensitive pages, missing low-risk headers, or version banners without proven exploitability.

Our triage & remediation process

•Acknowledgement: We aim to acknowledge your report within 3 business days.
•Triage: We assess severity, scope, and exploitability; we may request additional details or a safe, minimal PoC.
•
Fix & verification: We prioritize remediation by impact:
- Critical: target fix or mitigation within 7–14 business days
- High: within 30 days
- Medium: within 90 days
- Low: within 120 days
Timelines may vary for complex dependencies; we will keep you informed.
•Coordinated disclosure: After remediation, we can coordinate a public disclosure. We do not operate a paid bug bounty at this time but may offer a public thank-you (with your permission).

Incident response & notification

We maintain runbooks for detection, escalation, containment, and recovery. In the event of an incident that impacts user data, we will notify affected users and regulators as required by applicable law.

Additional hardening measures

•CI/CD & supply chain: OIDC-based GitHub Actions, image signing/verification (planned), multi-stage container builds, dependency scanning, and environment-specific secrets.
•Environment isolation: Separate namespaces and accounts for dev/staging/production; tight ingress/egress controls.
•Monitoring & SLOs: Better Stack uptime and heartbeat monitors, private status-page components, Sentry error visibility, and alert routing.
•Backup & recovery: Managed backups for primary data stores; periodic restore tests.
•Least privilege & auditing: IAM roles scoped per service; CloudTrail auditing; periodic key rotation and review.

Legal

This page forms part of our Terms of Use, Privacy Policy, and Acceptable Use Policy. Your use of the Services remains subject to those terms. Nothing here grants permission to access data you do not own or to disrupt the Services.

Changes

We may update this page as our security program evolves. The date at the top reflects the latest version.

Company

Avaplicity, Inc.
7775 Walton Parkway, Suite 100
New Albany, Ohio 43054
Email: privacy@avaplicity.com