Security

Aviator runs in some of the most security-sensitive engineering organizations in the world. We treat the protection of your source code, your metadata, and your audit trail as a first-class engineering problem, not a checkbox.

Certifications & compliance

• SOC 2 Type II — audited annually by an independent third party. Reports available on request to existing and prospective customers under NDA.
• GDPR — Aviator processes personal data on behalf of our customers as a data processor under the EU GDPR and UK GDPR.
• HIPAA — available on request for customers operating in regulated healthcare environments.

Up-to-date reports, sub-processor lists, and certificates live on our Trust Center.

Access controls

• SAML / OIDC-based single sign-on for all customer plans that support it.
• Granular role-based access control at the workspace, repository, and queue level.
• Just-in-time, time-bounded production access for Aviator engineers.
• Comprehensive, exportable audit logs of every privileged action.

Data protection

• Encryption in transit (TLS 1.2+) and at rest (AES-256) by default.
• Tenant isolation at the database row level; no shared application secrets across tenants.
• Customer-managed encryption keys available on enterprise plans.
• Annual penetration testing by third-party security firms.

Deployment options

Aviator can run as a managed SaaS in our hardened multi-tenant environment, in a dedicated single-tenant environment, or fully on-prem inside your own cloud account. The on-prem bundle ships as a small set of containers with no outbound calls except where you opt in. See the on-prem installation guide for details.

Incident response

• 24/7 on-call rotation with documented severity ladders.
• Customer notification within 72 hours of any confirmed material incident.
• Post-mortems shared with affected customers, with root cause and remediation.

Responsible disclosure

Found something we should know about? Email security@aviator.co with a description of the issue, steps to reproduce, and your suggested impact. We respond within one business day and credit researchers who follow coordinated disclosure.

More information

• Trust Center — live status, reports, and sub-processors
• Security documentation — deep dives into architecture, data handling, and on-prem deployment
• Status page — uptime and incident history