How we earn the keys to your tenant.
Avalon Web Services is a boutique cloud partner. Our buyers — and the auditors and procurement teams behind them — expect the same posture transparency they would demand from a Tier-1 firm. This page is that posture, in plain language.
Last reviewed · May 2026
01 · Certifications
Where we stand on third-party attestations
| CMMC Registered Practitioner (RP) | In progress | Application underway via The Cyber AB. Co-founder Arif Ali Mughal is the RP candidate; an RPO designation for the firm will follow. |
| SOC 2 Type I | In progress | Target attestation window: H2 2026. Scoped to Avalon's own engagement environment. |
| ISO/IEC 27001 | Planning | Scoped to follow SOC 2 attestation. Arif holds the ISO 27001 Lead Implementer credential. |
We surface attestation status before badges are earned. If a buyer requires a current attestation we don't yet hold, we'll tell you on the first call rather than the eleventh.
02 · Framework alignment
Frameworks our delivery is built against
| NIST SP 800-171 Rev. 3 | Aligned | We deliver readiness engagements against the full 110-control catalog. |
| NIST SP 800-172 | Aligned | Enhanced controls layered when DIB engagements call for them. |
| NIST CSF 2.0 | Aligned | Our preferred boardroom translation layer. |
| CIS Controls v8.1 | Aligned | Default SMB hardening baseline behind our M365 work. |
| HIPAA Security Rule | Engagement-ready | We deliver HIPAA-scoped AWS and Azure environments under Business Associate terms. |
| DFARS 252.204-7012 / -7019 / -7020 / -7021 | Engagement-ready | Surfaced inside CMMC L1/L2 readiness sprints. |
03 · Sub-processors
Who else touches data on your behalf
We keep our internal stack deliberately small. The following sub-processors support Avalon's own operations and may, in the course of an engagement, process limited engagement metadata (contact details, support requests, telemetry).
| Vendor | Purpose | Region |
|---|---|---|
| Microsoft (Microsoft 365, Azure, Entra ID, Defender XDR, Sentinel) | Productivity, identity, endpoint, SIEM, and primary client delivery cloud. | US |
| Netlify | Static hosting and edge delivery for avalonweb.services. | US |
| Resend | Transactional email (contact form, workbook delivery). | US |
| GitHub | Source control, CI/CD, infrastructure-as-code repositories. | US |
| Plausible Analytics | Privacy-preserving web analytics. Cookie-free; no PII collected. | EU |
We notify customers under active engagement of material sub-processor changes by email at least 30 days before they take effect, except where a security incident requires faster action.
04 · Data residency
Where customer and engagement data lives
Avalon's own corporate tenant is hosted in US Microsoft 365 and Azure regions. Engagement environments are deployed into the client's tenant in the region the client selects — typically US-East or US-Central for North American clients, EU-Central for European clients, and country-specific regions where regulatory residency demands it (HIPAA, GDPR, EU data-residency, DFARS CUI).
We do not move customer-controlled data out of the client's tenant for our own operational convenience. Engagement deliverables — runbooks, SSPs, evidence packages — live in the client repository or document store unless the customer explicitly requests otherwise.
05 · Retention
How long we keep what we collect
Inbound inquiries (contact form submissions, lead-magnet downloads): retained for 24 months, then purged. Re-confirmed at the 18-month mark for active leads.
Engagement artifacts: retained for the engagement duration plus 36 months for audit-evidence reachability, then archived offline or destroyed per the customer's instruction.
Operational logs (CI/CD, IaC state, support email): 90-day hot retention; 12-month cold archive; destroyed thereafter.
06 · Vulnerability disclosure
If you find a security issue, we want to hear about it
Email security@avalonweb.services with a description of the issue, reproduction steps, and any proof-of-concept material. We acknowledge receipt within one business day, share a triage assessment within five business days, and credit reporters on this page once an issue is fixed (unless the reporter prefers anonymity).
Please give us reasonable time to remediate before public disclosure, and do not access data that isn't yours, degrade service for other users, or run automated scans against production.
07 · Insurance
Coverage we maintain
Avalon maintains Errors & Omissions, Cyber Liability, and General Liability coverage scoped to the engagement profile of a boutique advisory firm. Certificates of Insurance are available under NDA to customers engaged in a paid scoping or delivery engagement — request them through sales@avalonweb.services.
08 · Questions
Procurement, security, or audit questions
Send security and audit questionnaires to security@avalonweb.services. Send commercial, contracting, and DPA questions to sales@avalonweb.services. We respond to both within one business day.