Security & Compliance

Last Updated: December 2, 2025

1. Overview

At LAVT Supply, security and compliance are foundational to the AV Management Suite platform. We implement industry-leading security practices to protect your data and maintain your trust.

2. Data Security Measures

2.1 Encryption

  • Data in Transit: All data transmitted to and from the Service uses TLS 1.2 or higher encryption
  • Data at Rest: Sensitive data including passwords, OAuth tokens, and payment information is encrypted using AES-256 encryption
  • Database Encryption: PostgreSQL database connections use SSL/TLS
  • Backup Encryption: All backup data is encrypted both in transit and at rest

2.2 Multi-Tenant Data Isolation

  • Row-Level Security (RLS): PostgreSQL RLS ensures complete data isolation between tenant accounts
  • Automatic Tenant Filtering: All database queries are automatically scoped to the authenticated tenant
  • Session-Based Context: Tenant context is set at the session level to prevent cross-tenant data access
  • Subdomain Isolation: Each tenant receives a unique subdomain for additional security

2.3 Access Controls

  • Role-Based Access Control (RBAC): Granular permissions based on user roles
  • Multi-Factor Authentication (MFA): Available through Azure AD integration
  • Single Sign-On (SSO): Support for Azure AD and Microsoft authentication
  • Session Management: Automatic session timeout and secure session handling
  • Password Policies: Strong password requirements enforced

2.4 Network Security

  • Firewalls: Network-level firewalls protect infrastructure
  • DDoS Protection: Cloudflare/CDN protection against distributed attacks
  • Rate Limiting: API rate limiting prevents abuse
  • IP Whitelisting: Optional for Enterprise customers

3. Application Security

3.1 Secure Development Practices

  • Code Reviews: All code changes undergo peer review
  • Security Testing: Regular security scans and penetration testing
  • Dependency Scanning: Automated scanning for vulnerable dependencies
  • OWASP Top 10: Protection against common web vulnerabilities

3.2 Vulnerability Management

  • Regular security updates and patches
  • Vulnerability disclosure program
  • 24-hour response time for critical vulnerabilities
  • Automated monitoring for security threats

3.3 Input Validation and Sanitization

  • Protection against SQL injection attacks
  • Cross-Site Scripting (XSS) prevention
  • Cross-Site Request Forgery (CSRF) protection
  • Command injection prevention

4. Infrastructure Security

4.1 Cloud Infrastructure

  • Hosting: Vercel (frontend), enterprise-grade cloud infrastructure (backend)
  • Database: Managed PostgreSQL with automatic backups
  • Redundancy: Multi-availability zone deployment
  • Disaster Recovery: Automated backups with point-in-time recovery

4.2 Monitoring and Logging

  • Real-Time Monitoring: 24/7 system monitoring and alerting
  • Audit Logs: Comprehensive audit trails of all data changes
  • Security Logs: Authentication attempts, access logs, security events
  • Log Retention: Audit logs retained for 7 years for compliance

4.3 Backup and Recovery

  • Backup Frequency: Continuous replication + daily snapshots
  • Backup Retention: 30 days of daily backups
  • Recovery Testing: Regular disaster recovery drills
  • RTO/RPO: 4-hour Recovery Time Objective, 1-hour Recovery Point Objective

5. Compliance and Certifications

5.1 Current Compliance

  • GDPR: General Data Protection Regulation compliance for EU data
  • CCPA: California Consumer Privacy Act compliance
  • ESIGN Act: Electronic signature compliance via Adobe Sign integration

5.2 In Progress

  • SOC 2 Type II: Audit in progress (expected completion Q2 2026)
  • ISO 27001: Information Security Management System certification planned

5.3 Data Processing Agreement

We offer a Data Processing Agreement (DPA) for customers requiring GDPR compliance. See our DPA page for details.

6. Employee Security

6.1 Personnel Practices

  • Background Checks: All employees undergo background screening
  • Security Training: Regular security awareness training
  • Confidentiality: All employees sign confidentiality agreements
  • Access Reviews: Quarterly access reviews and privilege audits

6.2 Access Management

  • Principle of least privilege for employee access
  • Multi-factor authentication required for all internal systems
  • Immediate access revocation upon termination
  • Audit trails for all administrative actions

7. Incident Response

7.1 Incident Response Plan

We maintain a formal incident response plan including:

  • Detection: 24/7 monitoring and alerting systems
  • Containment: Immediate isolation of affected systems
  • Investigation: Forensic analysis and root cause determination
  • Remediation: Fix vulnerabilities and restore normal operations
  • Notification: Customer notification within 72 hours for data breaches

7.2 Breach Notification

In the event of a security breach affecting your data, we will:

  • Notify you without undue delay (within 72 hours)
  • Describe the nature and scope of the breach
  • Explain measures taken to address the breach
  • Provide recommendations to protect affected individuals
  • Cooperate with investigations and regulatory requirements

8. Third-Party Security

8.1 Vendor Management

  • Security assessments for all third-party vendors
  • Data processing agreements with all subprocessors
  • Regular vendor security reviews
  • See our Subprocessor List for details

8.2 Key Subprocessors

  • Stripe: PCI-DSS Level 1 certified payment processor
  • Microsoft Azure: ISO 27001, SOC 2 certified cloud provider
  • Adobe Sign: ESIGN Act compliant e-signature service
  • Vercel: SOC 2 certified hosting platform

9. Customer Security Responsibilities

9.1 Shared Responsibility Model

Security is a shared responsibility. While we secure the platform, you are responsible for:

  • Account Security: Protecting your login credentials
  • User Management: Managing user access and permissions
  • Data Classification: Properly classifying and handling sensitive data
  • Compliance: Ensuring your use complies with applicable laws
  • Updates: Keeping contact information current for security notifications

9.2 Best Practices

  • Enable multi-factor authentication
  • Use strong, unique passwords
  • Regularly review user access and permissions
  • Train employees on security awareness
  • Promptly report suspicious activity

10. Security Reporting

10.1 Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

Security Team

Email: support@lavtsupply.com

PGP Key: Available upon request

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information

We commit to acknowledging your report within 24 hours and providing a resolution timeline within 5 business days.

10.2 Security Incidents

To report a security incident or suspicious activity:

Security Incidents

Email: support@lavtsupply.com

Emergency (Enterprise): +1 (XXX) XXX-XXXX

11. Continuous Improvement

We are committed to continuously improving our security posture through:

  • Regular security assessments and penetration testing
  • Participation in security research and industry forums
  • Implementation of emerging security technologies
  • Customer feedback and security suggestions

This Security & Compliance documentation was last updated on December 2, 2025.