Your data, protected
We understand that API specs and credentials are sensitive. Here's how we keep your data secure.
Encrypted at rest
All API specs, credentials, and metadata are encrypted at rest using AES-256 encryption. Your data is never stored in plaintext.
Secure credential storage
API authentication credentials (keys, tokens, passwords) are stored using industry-standard encryption. We use separate encryption keys per tenant.
Least-privilege access
Our GitHub integration requests only the minimum permissions needed to scan your repositories. We never write to your repos or access unrelated data.
Infrastructure security
Hosted on AWS with VPC isolation, encrypted connections (TLS 1.3), and regular security updates. All data stays within your region.
Audit logging
Every action in Avanamy is logged with timestamps and user attribution. Know who accessed what, when, and from where.
Role-based access control
Fine-grained permissions let you control who can view specs, manage integrations, or configure alerts. Owner, Admin, Developer, and Viewer roles.
What data we collect
API specifications
The OpenAPI specs you upload or that we poll from external URLs. These are versioned and stored to enable change detection and diff generation.
Code references
When scanning repositories, we store file paths, line numbers, and small code snippets (context around API calls). We do NOT store your entire codebase.
Authentication credentials
If you configure authenticated polling, we store your API credentials encrypted. These are only used to fetch specs from the URLs you specify.
Usage and analytics
Basic usage metrics (page views, feature usage) to improve the product. No personally identifiable information is shared with third parties.
Data retention
We retain your data for as long as your account is active. Version history is kept to enable historical diff analysis - this is core to Avanamy's value.
If you delete your account, all associated data (specs, credentials, code references, analysis results) is permanently deleted within 30 days.
You can export your data at any time from the settings page.
Questions about security?
We're happy to discuss our security practices in more detail. Reach out and we'll set up a call.