Skip to main content
Avala is built for teams that handle sensitive data — medical images, proprietary sensor recordings, and pre-release product imagery. This page covers how the platform protects your data at every layer, from network transport to access control.

Data Protection

Encryption

All data in the Avala platform is encrypted both in transit and at rest.
LayerMethodDetails
In transitTLS 1.2+All API and web traffic uses HTTPS. HTTP requests are redirected to HTTPS.
At rest (Avala-managed)AES-256Data stored in Avala’s infrastructure is encrypted with AES-256 using AWS KMS managed keys.
At rest (BYOS)Your KMS keysWhen using cloud storage integration, data stays encrypted with your own KMS keys. Avala never stores a copy.
DatabaseAES-256PostgreSQL (Aurora) databases are encrypted at the volume level with AWS KMS.
BackupsAES-256Automated database backups inherit the same encryption as the primary database.

Data Residency

Avala’s primary infrastructure runs in AWS US West (Oregon) region. For teams with data residency requirements:
  • Bring Your Own Storage (BYOS): Keep data in your preferred region and cloud provider. Avala reads data directly from your bucket — no cross-region copies.
  • API metadata: Project configurations, task states, and annotation results are stored in Avala’s US-based infrastructure.
If you need data residency for annotation metadata (not just source data), contact us at support@avala.ai to discuss dedicated deployment options.

Authentication

Avala supports multiple authentication methods depending on your use case.

API Keys

API keys are the primary authentication method for programmatic access.
PropertyDetails
ScopeOrganization-level and governed by API key scopes; avoid leaving scopes empty for MCP and production automation
FormatAlphanumeric string, transmitted via X-Avala-Api-Key header
CreationMission Control > Settings > Security
RotationCreate a new key, update your integrations, then delete the old key
Rate limitingPer-key rate limits apply (see Rate Limits)
For integrations with write capability (including MCP), create narrow-scope keys and disable write/delete MCP operations unless explicitly required. 
# Using an API key with cURL
curl https://api.avala.ai/api/v1/datasets/ \
  -H "X-Avala-Api-Key: your-api-key-here"

# Using an API key with the Python SDK
from avala import Client

client = Client(api_key="your-api-key-here")
# Or set the AVALA_API_KEY environment variable and omit the parameter
client = Client()

JWT Authentication

The Mission Control web application uses JWT (JSON Web Token) authentication via Auth0.
PropertyDetails
ProviderAuth0
AlgorithmRS256 (RSA with SHA-256)
Token typeBearer token in Authorization header
ExpiryTokens expire after a configurable duration
RefreshAutomatic refresh via Auth0 session

Session Authentication

Django session authentication is available for the admin interface and internal tools. Not recommended for external integrations.

Access Control

Organization Roles

Avala uses role-based access control (RBAC) at the organization level.
RoleView DataCreate/EditManage MembersBilling & SettingsDelete Org
MemberYesYesNoNoNo
AdminYesYesYesNoNo
OwnerYesYesYesYesYes

Team Permissions

Within an organization, teams provide finer-grained access control for projects and datasets.
PermissionDescription
Project accessControl which teams can view or annotate specific projects
Dataset accessRestrict dataset visibility to specific teams
Review accessDesignate which team members can perform quality reviews
Export accessControl who can create and download annotation exports
For detailed team configuration, see Team Permissions.

Principle of Least Privilege

Follow these practices when configuring access:
  1. Use teams to scope access to relevant projects and datasets
  2. Assign the minimum role needed — use Member for annotators, Admin only for team managers
  3. Rotate API keys when team members leave or roles change
  4. Use separate API keys for different integrations (CI/CD, data pipeline, monitoring) so you can revoke independently

API Security

Rate Limiting

All API endpoints are rate-limited to prevent abuse and ensure fair usage.
TierRequests per minuteBurst limit
Standard10050 concurrent
Upload endpoints6010 concurrent
Export endpoints305 concurrent
Rate limit headers are included in every response: 
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1708700460
See Rate Limits for detailed information and best practices.

Input Validation

All API inputs are validated server-side:
  • Request body schemas are enforced via Django REST Framework serializers
  • File uploads are validated for type, size, and content
  • SQL injection, XSS, and other OWASP Top 10 vulnerabilities are mitigated through Django’s built-in protections and parameterized queries
  • CSRF protection is enabled for session-based authentication

Audit Logging

Key actions are logged for audit purposes:
EventLogged Data
API key creation/deletionUser, timestamp, key identifier
Member added/removedUser, target member, role, timestamp
Export createdUser, project, dataset, format, timestamp
Project configuration changedUser, project, changes, timestamp
Data deletionUser, dataset/item, timestamp

Cloud Storage Security (BYOS)

When using the Bring Your Own Storage model, security responsibilities are shared:
ResponsibilityAvalaYou
Annotation metadata storageYesNo
Source data storageNoYes
Source data encryptionNoYes (your KMS keys)
Bucket access policyProvides required permissionsConfigures IAM policy
Network transportTLS for API callsTLS for S3/GCS access
Data retentionAnnotation metadata onlyFull control over source data
BackupAnnotation metadata onlyFull control over source data

Minimum Permissions

When connecting a cloud storage bucket, grant only the permissions Avala needs: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket",
        "arn:aws:s3:::your-bucket/*"
      ]
    }
  ]
}
Add s3:PutObject only if you need Avala to write exports back to your bucket. Never grant s3:DeleteObject or full s3:* access.

Network Security

ControlImplementation
HTTPS enforcementAll HTTP traffic redirects to HTTPS
HSTSStrict-Transport-Security header enabled
CDNStatic assets served via CloudFront with TLS termination
WAFWeb Application Firewall rules protect against common attack patterns
DDoS protectionAWS Shield Standard enabled on all public endpoints

Incident Response

If you discover a security vulnerability or suspect unauthorized access:
  1. Report immediately to security@avala.ai
  2. Include the affected resources, timestamps, and any relevant logs
  3. Avala’s security team will acknowledge within 24 hours and provide a remediation timeline

Compliance

StandardStatus
SOC 2 Type IIIn progress
GDPRData processing agreements available on request
HIPAAAvailable for enterprise plans with BAA
For HIPAA-regulated data, contact support@avala.ai before uploading any protected health information (PHI) to ensure your account is configured with the appropriate safeguards.

Security Checklist for New Teams

Use this checklist when onboarding your team to Avala:
StepAction
1Create an organization and set the owner
2Invite members with the minimum required role
3Create teams to scope access to specific projects
4Generate API keys for each integration (not shared keys)
5Configure cloud storage with least-privilege IAM policies
6Enable multi-stage review for sensitive annotation projects
7Document your key rotation schedule
8Review audit logs monthly for unexpected access patterns

Next Steps

Authentication

Set up API keys and start making authenticated requests.

Team Permissions

Configure teams and roles for your organization.

Cloud Storage

Connect your S3 or GCS bucket with least-privilege access.

Rate Limits

Understand API rate limits and optimize your usage.