Zero-trust networking
- All service-to-service communication is mutually authenticated (mTLS) and encrypted.
- Identities are issued by SPIFFE; no IP-based allowlists.
- Layer-3-to-7 network policies enforced at the kernel via Cilium eBPF.
/ trust & security
Security is the baseline, not a feature.
Most platforms treat security as an add-on. We treat it as the only acceptable starting position. This page documents what's true today, what's on audit, and what's planned.
Architecture for security
Runtime defense
- Tetragon (eBPF) monitors every kernel syscall in production workloads.
- If an application attempts a prohibited operation — shell escape, restricted memory access — the signal is killed in the kernel before execution.
- All denials are auditable.
Supply chain
- Every container image is signed by Cosign at build time.
- Talos nodes are configured to refuse unsigned images via admission control.
- Builds run inside Kata-isolated, rootless BuildKit microVMs — hostile by assumption.
Hard tenancy
- On bare metal, every tenant runs inside a Cloud Hypervisor microVM. Hardware-level isolation, no shared kernel.
- On public cloud, we use hardened native containers with user namespaces and Tetragon enforcement — provider-grade isolation.
Encryption
| Type | Status | Detail |
|---|---|---|
| In transit (customer endpoints) | Shipped | TLS 1.3 default. Let's Encrypt for public services. |
| Service-to-service (in-cluster) | Shipped | WireGuard tunnels via Cilium ClusterMesh. |
| At rest (block storage) | Roadmap (post-MVP) | LUKS on Avahana metal; cloud-vendor SSE on cloud fleet. |
| Customer-managed keys (CMEK / BYOK) | Roadmap (Sovereign tier first) | HashiCorp Vault integration; key rotation managed by customer. |
Compliance roadmap
DPDP Act (India)By GA
GDPR (EU)By GA — DPA already available
SOC 2 Type IIAudit post public beta
ISO 27001After SOC 2
HIPAAOn request — Sovereign tier
PCI DSSOut of scope (use a payment processor)
Incident response & SLA
- Status page: status.avahana.ai (provisioning).
- All P0/P1 incidents trigger an automatic public post-mortem within 7 days. No spin.
- Customer-impacting events surface in-product and via email.
- SLA targets are tier-specific and published in each tier's contract.
Reach security
- Vulnerability disclosure: security@avahana.ai (GPG key on request).
- We do not run a paid bug bounty yet. We do answer disclosures within one business day.
- We will not threaten or pursue researchers who follow good-faith disclosure.