Security Overview

Security Program

Intravo maintains a written information security program designed to protect the confidentiality, integrity, and availability of customer data. The program is reviewed at least annually and updated as needed in response to changes in technology, regulation, threat landscape, and business operations.

Our security objectives are:

• Protect customer data against unauthorized access, alteration, loss, and disclosure
• Maintain the availability and reliability of our services
• Comply with applicable laws, contractual commitments, and recognized industry standards
• Continuously improve our security posture through monitoring, testing, and remediation

Infrastructure & Hosting

Intravo's production services are hosted on Amazon Web Services (AWS) in the United States. AWS maintains industry-leading certifications, including ISO 27001, SOC 1, SOC 2, SOC 3, and PCI DSS. Intravo inherits the underlying physical and environmental controls of the AWS data center facilities.

Production environments are logically separated from development and staging environments. Customer data does not flow into non-production environments except as required for narrowly scoped, authorized debugging, with appropriate safeguards.

Encryption

• In transit: All connections to Intravo's services are encrypted using TLS 1.2 or higher with modern cipher suites. HTTP traffic is automatically redirected to HTTPS.
• At rest: Customer data is encrypted at rest using AES-256 (or equivalent) at the storage and database layers.
• Secrets management: Application secrets, API keys, and credentials are stored in a managed secrets service (AWS Secrets Manager or equivalent) and are not persisted in source control.

Access Controls

• Authentication: Customer accounts support strong passwords. Single sign-on (SSO) is available via Microsoft Entra ID (Azure AD), Google, and LinkedIn.
• Multi-factor authentication (MFA): MFA is required for all Intravo personnel with access to production systems.
• Role-based access: Internal access to production systems and customer data is granted based on the principle of least privilege and the role required to perform a given function.
• Access reviews: Privileged access is reviewed periodically and revoked when no longer required.
• Provisioning & deprovisioning: Personnel access is granted upon onboarding and revoked promptly upon role change or departure.

Network Security

• Production infrastructure is deployed within Virtual Private Clouds (VPCs) with strict ingress and egress controls.
• Public-facing services are protected by Cloudflare for DDoS mitigation, web application firewall (WAF) rules, and bot management.
• Administrative interfaces are not exposed to the public internet.
• All inbound and outbound network connections are restricted by firewall rules and security groups, configured with default-deny policies.

Application Security

• Secure SDLC: Code changes follow a defined development lifecycle, including peer review and automated testing before merging.
• Dependency management: Open-source dependencies are tracked, and known vulnerabilities are remediated according to severity-based timelines.
• Static and dynamic analysis: Source code and running applications are scanned for common vulnerabilities (e.g., OWASP Top 10).
• Patch management: Operating systems, runtimes, and dependencies are patched on a regular cadence; critical vulnerabilities are prioritized for expedited remediation.
• Penetration testing: Independent third-party penetration testing is performed periodically, with findings tracked through remediation.

Logging & Monitoring

• Application, infrastructure, and security events are centrally logged.
• Operational telemetry is collected via Datadog (see Subprocessors) for application performance monitoring and alerting.
• Anomalies and security-relevant events generate alerts to on-call personnel.
• Logs are retained for an appropriate period to support investigations and compliance obligations.

Incident Response

Intravo maintains a documented incident response plan covering identification, containment, eradication, recovery, and post-incident review.

• Security events are triaged and escalated according to defined severity levels.
• For confirmed Personal Data Breaches affecting customer data, Intravo notifies affected customers without undue delay and in any event within seventy-two (72) hours of becoming aware, in accordance with our DPA.
• Post-incident reviews are conducted to identify root causes and to drive corrective and preventive actions.

Backup & Disaster Recovery

• Production databases are backed up regularly. Backups are encrypted and stored separately from primary data.
• Recovery procedures are documented and tested periodically.
• Infrastructure is deployed with redundancy across availability zones to support resilience to common failure modes.

Vendor & Subprocessor Management

Intravo conducts due diligence on subprocessors before engagement and imposes data protection and security obligations consistent with our customer commitments. The current list of subprocessors is published at intravo.com/subprocessors. Customers may subscribe to change notifications by emailing [email protected].

Personnel Security

• Background checks are conducted where lawful and appropriate.
• All personnel sign confidentiality agreements as a condition of employment or engagement.
• Security awareness training is provided at onboarding and on an ongoing basis.
• Personnel are required to use company-managed devices with disk encryption and endpoint protection for access to production systems.

Data Privacy & Retention

Intravo processes personal data on behalf of customers in accordance with the Privacy Policy and the Data Processing Addendum. Customers control retention policies for their data within the Services and may request export or deletion at any time, subject to applicable legal obligations.

Vulnerability Disclosure

Intravo welcomes responsible reports of security vulnerabilities. If you believe you have discovered a security issue, please email [email protected] with details. We commit to:

• Acknowledge receipt within 5 business days
• Investigate and respond with a status update
• Not pursue legal action against good-faith researchers who follow responsible disclosure practices and do not access or modify customer data, degrade service, or violate applicable law

A machine-readable contact is published at /.well-known/security.txt.

Certifications & Audits

We believe in being straightforward about what we have today and what we are building toward. Intravo does not currently hold a SOC 2, ISO 27001, or PCI DSS certification of its own. Our compliance and certification posture is evolving:

• SOC 2 Type II — In progress. Intravo is actively working toward a SOC 2 Type II examination. We can share our readiness status, control mapping, and target timeline under NDA on request.
• Underlying infrastructure — Production services are hosted on AWS, which independently maintains SOC 1, SOC 2, SOC 3, ISO 27001, and PCI DSS certifications. Intravo inherits AWS's physical and environmental controls but does not represent that those certifications cover Intravo's own application-layer or operational controls.
• HIPAA — Business Associate Agreements (BAAs) available on request for qualifying customers and configurations.
• GDPR / UK GDPR — addressed through our Data Processing Addendum, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where applicable.
• CCPA / CPRA — addressed through the Service Provider terms in our DPA.

Contact Security

Security Team — Intravo
Email: [email protected]
Privacy & Compliance: [email protected]