Contracts are vital business assets - we take security seriously

Trust Avvoka to keep your contract data secure with enterprise-grade admin management, encryption, data governance, compliance certifications and privacy protections

Enterprise-grade security for enterprise clients

ISO27001 certified

  • Continuously certified since October 2017
  • Subject to annual external audits
  • ISMS policy available here

Physical location security

  • Servers located in our clients’ core business regions (UK, Europe, USA and Australia)
  • AWS, OVH and Azure datacentres
  • Physical access is restricted from Avvoka staff

Data replication & backup

  • All production databases are subject to real-time replication
  • Hot-standby arrangement for failovers
  • Backups encrypted using AES-256


  • Minimum strength rules adhered to
  • Passwords filtered from logs and one-way encrypted using BCrypt
  • Password rotation rules can be defined

2FA and SSO

  • 2FA can be enforced company-wide
  • SSO-only enforcement rules available
  • Automatic SSO user revocation for leavers

Availability and design

  • High availability and transparent reporting
  • Adherence to secure development principles
  • Pipeline continuously tested for attacks such as CSRF, XSS, SQLI and many more

More information

Application, systems and software

Your connection to Avvoka (including API access) is secure and encrypted using HTTPS. This is the same level of encryption used by leading banks and government agencies. Your documents are also stored and encrypted at rest using AES – 256 bit encryption. Each one is encrypted with a unique initialisation vector. As an additional safeguard, each key is encrypted with a regularly rotated master key.

Annual penetration testing

Each year, the application is subject to black-box penetration testing. Only CREST-approved providers are appointed. Copies of our latest scorecard are made available to clients on request.

Reporting a vulnerability

Share the details of any suspected vulnerabilities with Avvoka’s Security Team by contacting us at

Please do not publicly disclose these details without express written consent from Avvoka. In reporting any suspected vulnerabilities, please include the following information:

  • Date the vulnerability was observed
  • Description of the vulnerability
  • Instructions to duplicate the vulnerability (this can be written steps, a video, or a set of screen captures detailing the proof of concept)
  • Your name and company (if applicable)
  • Your preferred contact information (email, phone, anonymous)
  • Your PGP to allow for encrypted communication (if available)

Additional resources