SECURITY

Authority at every layer.
By design.

Avrentis is built for organisations where every approval carries weight. Security is not a feature bolted on later — it is the structural premise of the platform. Here is exactly what that means, layer by layer.

Book a security reviewRead the stack →
TRUST POSTURE

Four foundations. Each built in at the deepest level — not just something the app tries to do.

Your data is yours — always

Each customer's workspace is walled off from every other, directly inside the database. Not a rule we enforce with the app — a rule enforced by the database engine itself. There is no path from one customer's session to another's.

Real authority, not just a role label

Roles don't just hide buttons — they decide what every single action is allowed to do. Plus a second layer of rules on top: who can approve what, within which department, up to what amount. Checked on every click.

Every action is permanent

Every submission, approval, question, and role change is recorded. Nobody can edit the record after the fact — not us, not your administrator, not even the database's top-level user. The history is the history.

Access that keeps up with your people

When someone joins, they get what their role requires — automatically, from your identity system. When someone leaves or changes role, their access ends within seconds. Auditors and board-level guests get a clear start date and expiry.

LAYER 01

Isolation

Your data is yours — no other customer can ever see it. Enforced by the database itself, not just by the app.

Every tenant-scoped query runs inside a transactional context that sets a Postgres session variable. Row-level security policies on every table match on that variable before returning a row. The bypass path requires a per-process randomized secret, so a developer can't accidentally hit cross-tenant data from a forgotten `db.query()`.

  • Postgres RLS policies applied to every tenant-scoped table
  • `withTenantContext(tenantId, fn)` — the only way to run tenant-scoped SQL
  • `withBypassRLS` requires a randomized per-request token (no static secret)
  • Drizzle migrations are gated by a safety check that blocks policy drops
tenant isolation · database layer
POSTGRES SESSION · PER-REQUEST
-- every tenant-scoped query runs inside this wrap
withTenantContext(tenantId, async () => {
SET LOCAL app.tenant_id = '{tenantId}';
SELECT * FROM vouchers; -- RLS-enforced
})
Tenant A182 vouchers · 47 users
Tenant B94 vouchers · 22 users
A bare db.query() without tenant context is blocked at the database.
LAYER 02

Authority

Two layers of control: what your role lets you do in general, and what's allowed for this specific request — in this specific department, at this specific amount.

RBAC determines the set of capabilities a role can exercise — a fine-grained permission system with clean separation between administrative and operational capability. ABAC then evaluates the specific request: can the submitter approve their own document, is the Head of Department acting within their department, does the amount exceed their threshold.

  • A fine-grained permission system with clean separation between administrative and operational capability
  • Separation of duties — submitters cannot approve their own requests
  • Department scope — Heads of Department act only on their own department
  • Amount thresholds — high-value requests auto-escalate to the MD
role-based authority · attribute overlays
PERMISSION MATRIX · EXCERPTFine-grained permissions · multi-role
CAPABILITYSTAFFHODFINMDADM
Raise voucher / PO
Approve as HOD
Finance review
MD sanction
Change a role
Export audit bundle
Separation of duties — the submitter of a voucher cannot also approve it. Enforced in the state machine, not at the UI.
LAYER 03

Session integrity

When a role changes or a user leaves, their active sessions are invalid within seconds.

Every active session is checked against a revocation signal on every request. A role change, deactivation, password change, access expiry, or tenant-wide revocation forces re-authentication on the next request. Two-factor sign-in uses standard time-based codes with secured recovery codes. Per-tenant IP allowlisting (both IPv4 and IPv6) is available as a hard sign-in gate.

  • Active sessions end within seconds of a role change, deactivation, or password change
  • Two-factor sign-in with recovery codes; required for platform administrators
  • Per-tenant IP allowlist (IPv4 and IPv6) available as a hard sign-in gate
  • Single sign-on via SAML and OpenID Connect, with sensitive tokens encrypted at rest
session revocation · identity controls
SESSION REVOCATION · LIVE
Role changed · Amaka Bello
14:32:08 UTC
Previous · Finance
New · HOD
12 active sessions revoked in 0.8s · next request forces re-auth
REVOKED ON
Role changed
Account deactivated
Password changed
Access expiry hit
Tenant-wide revocation
LAYER 04

Audit trail

Every action, permanent. Every export, regulator-ready.

The audit log records actor, role, action, entity, IP, user-agent, and payload for every meaningful event. Role changes and board-access lifecycle events have their own dedicated immutable trails. Database triggers block UPDATE and DELETE on audit rows — the only way to remove them would be to drop the table, which requires DDL that is not granted to the application user.

  • Every approval, query, and role change written to an append-only log
  • Dedicated trail for role changes, capturing who changed what and why
  • Board-access lifecycle fully tracked — provisioning, approval, expiry, renewal, revocation
  • One-click regulator-ready export for any period
immutable audit trail · role-change log
AUDIT TRAIL · PV-2026-0184IMMUTABLE
14:42:17Adaeze O.MD
sanctioned
entity · PV-2026-0184 · IP 154.113.x.x · via web
14:29:03Tunde A.Finance
approved
entity · PV-2026-0184 · IP 154.113.x.x · via web
11:05:41Kemi L.Staff
submitted
entity · PV-2026-0184 · IP 154.113.x.x · via web
Database triggers block UPDATE and DELETE on audit rows. Not even a platform administrator can edit history.
LAYER 05

Access lifecycle

People come and go — access keeps up. Joiners get what they need; leavers lose access within seconds.

User provisioning flows in automatically from your identity provider (Okta, Microsoft Entra, Google Workspace). Auditor and board-level guests get a clear start date and expiry — access is withdrawn on the dot without manual clean-up. Document retention follows your plan; the audit trail itself is never purged while the account is active.

  • Automated user provisioning (SCIM) with Okta, Microsoft Entra, and Google Workspace
  • Time-bound access for auditors and provisional board members, with automatic revocation
  • Per-plan document retention, with the audit trail itself never purged
  • Attachments served through short-lived, per-upload URLs
access lifecycle · SCIM provisioning
USER · AUDIT ACCESS
Temidayo A. · External Auditor
temidayo@ext-auditors.com
ACCESS GRANTED
2026-04-01
EXPIRES
2026-05-15 · auto-revoke
PROVISIONED VIA
SCIM 2.0 · Okta
LAYER 06

Encryption & infrastructure

Encrypted from your browser all the way to our database — and again on top of that, for the most sensitive pieces like two-factor codes and single sign-on tokens.

All traffic is encrypted with modern TLS. The application database is managed PostgreSQL with encryption at rest and automated daily snapshots. Sensitive application secrets — two-factor codes, single sign-on tokens — are encrypted again at the application layer before being written, so even a database leak would not expose them. Attachments live in encrypted object storage and are delivered through short-lived, per-upload URLs.

  • Modern TLS in transit, with strict browser-side policies
  • Managed PostgreSQL with encryption at rest and daily snapshots
  • Application-layer encryption on top for sensitive secrets (AES-256-GCM)
  • Encrypted object storage with short-lived, per-upload delivery URLs
encryption · platform infrastructure
PLATFORM STACK
BrowserModern TLS · strict browser-side policies
Edge / appAutoscaling compute · secure session cookies · bot protection
DatabaseManaged Postgres · encrypted at rest · daily snapshots
SecretsApplication-layer AES-256-GCM for 2FA and SSO
Object storageEncrypted · short-lived per-upload delivery URLs
COMPLIANCE POSTURE

Honest about what we are — and what we’re working toward.

Avrentis does not hold formal SOC 2 or ISO 27001 certifications today. The platform is built with the controls that those frameworks measure — access, audit, encryption, change-management — and we can walk you through each one on a security review.

SOC 2Controls aligned

The platform's access, audit, change-management, and encryption controls are designed to meet SOC 2 Type II criteria. A formal audit has not been completed yet.

ISO 27001Controls aligned

Information-security management practices follow the ISO 27001 Annex A control families relevant to a SaaS operator. Formal certification is not in place today.

GDPR & NDPRDesigned-for

Data-subject rights (access, rectification, deletion, export) are supported through the audit-log export and admin tooling. A DPA is available for signature on request.

RESPONSIBLE DISCLOSURE

Found a vulnerability? Submit a responsible-disclosure report. We triage within two business days and welcome good-faith research. A DPA and sub-processor list are available on request.

QUESTIONS YOUR SECURITY TEAM WILL ASK

Direct answers — the kind you’ll want to forward to your CISO.

Who at Avrentis can access our data?

No Avrentis engineer can read customer data by default. Platform administrators can be granted time-bound, audit-logged access to a specific tenant for support purposes — every action is written to the same immutable audit trail the customer sees.

What happens when someone leaves our organisation?

Deactivation revokes active JWTs via Redis within seconds. If deprovisioned over SCIM, this happens automatically when your IdP marks the user inactive. Their historical actions remain in the audit trail — the record is preserved, not deleted.

Can we export everything — for an auditor, regulator, or migration?

Yes. The audit-trail export bundles every approval, signature, query, and role change for any period into a regulator-ready file. Document PDFs and attachments are exported alongside. You own your data; we don't hold it hostage.

Do you support SSO and SCIM?

Yes — SAML 2.0 and OIDC for SSO, SCIM 2.0 for provisioning. Tested against Okta, Microsoft Entra, and Google Workspace. Client secrets and tokens are encrypted with AES-256-GCM at rest.

Where is our data hosted and can it stay in a specific region?

Today, the platform runs on managed infrastructure primarily hosted in the EU, with a global edge network in front. Dedicated in-country or in-region hosting is available on request as part of an enterprise engagement.

Can we sign a Data Processing Agreement?

Yes. A DPA is available on request for any enterprise engagement. Contact us and we'll send the current version.

Do you have a responsible disclosure policy?

Yes. Security researchers can report vulnerabilities to security@avrentis.com. We triage within two business days and do not pursue legal action against good-faith researchers following standard responsible-disclosure practice.

Got a question we haven’t answered?
Talk directly with our team — we respond within one business day.
Book a security review

Your organisation’s decisions deserve better than an email thread.

Join the organisations across Africa that have replaced paper, email, and assumption with structure, authority, and permanent record.

Start your 14-day trialBook a personalised demo →

14 days. No credit card required. Setup takes less than 10 minutes — your first approval can happen today.

Pan-African platformEnterprise-grade security99.9% uptime SLAData protection compliant