We secure our own tenant the way we secure yours.

Email security@avalonweb.services. Encrypt with our PGP key on request. We acknowledge within one business day and triage within five.

Please do not test against production tenants, exfiltrate data that isn't yours, or publish details before we've had time to fix the issue. We credit good-faith reporters on the Trust Center unless asked to keep the report anonymous.

All Avalon team members authenticate through a single Entra ID tenant with phishing-resistant MFA (FIDO2 hardware keys or certificate-based authentication) enforced via Conditional Access. Password-only authentication is disabled. Legacy authentication protocols are blocked at the tenant edge.

We use just-in-time elevation for any privileged role and never hand a customer a long-lived global administrator credential under our own identity.

Every Avalon endpoint is enrolled in Microsoft Intune with a hardened CIS-aligned baseline: disk encryption, automatic patch compliance, Defender for Endpoint EDR enabled, USB mass-storage blocked by default, and screen-lock under five minutes. Non-compliant endpoints lose access via Conditional Access until they remediate.

We prefer guest-account or Lighthouse-style delegated access over shared credentials. Where customer policy requires us to hold a named account, that account is bound to a single Avalon identity, fully MFA-enforced, and removed at engagement end via the customer's own IAM workflow — not ours.

Engineering work happens in customer-controlled repositories under the customer's GitHub or Azure DevOps organization wherever possible. Where Avalon is the temporary home of engagement infrastructure-as-code, we transfer ownership at hand-off and retain only audit-evidence copies under the retention schedule on the Trust Center.

We do not store customer secrets, API keys, or production credentials in Avalon-owned systems. Engagement secrets live in customer Key Vault / Secret Manager instances under customer-owned RBAC. Evidence captured for audit purposes is redacted of credentials and scoped to the minimum needed to demonstrate the control.

Identity, endpoint, and email events flow into a Microsoft Sentinel workspace under Avalon's tenant. We retain hot telemetry for 90 days and cold-archive for 12 months. Engagement telemetry stays in the customer's SIEM or analytics platform — we don't mirror it.

Suspected incidents that touch a customer engagement are communicated to the customer's security contact within 24 hours of confirmation, with a written timeline at 72 hours and a post-incident report within 30 days. We follow NIST SP 800-61 Rev. 2 for the response phases (preparation, detection, containment, eradication, recovery, lessons learned).

Posture statements, sub-processors, residency, and retention schedules live on the Trust Center. Procurement and audit questions go to security@avalonweb.services.