Security and Responsible Disclosure

We encrypt data in transit using TLS and at rest using provider-managed encryption. Access to production systems follows the principle of least privilege, secrets are stored in a managed vault, and we keep dependencies up to date with regular security updates.

Avocadius runs on Supabase in the EU region for database, authentication, and file storage, with edge delivery via Cloudflare and Vercel. Subprocessors are listed on our Subprocessors page.

If you believe you have found a security vulnerability in Avocadius, please email security@avocadius.com with details and reproduction steps. Please do not disclose the issue publicly until we have had at least 90 days to investigate and remediate.

We do not currently offer a paid bug bounty program. Researchers who report valid issues responsibly may, with their permission, be credited on this page.

This page was last reviewed on May 14, 2026.