Security

How we protect your data and our infrastructure

Effective Date: 1 February 2026

Bennovate takes the security of your data seriously. This page describes the technical and organisational measures we employ to protect the Avantwerk platform, partner data, and client information. Security is foundational to everything we build.

1. Infrastructure Security 2. Data Encryption 3. Access Control 4. Application Security 5. Network Security 6. Data Processing & Sub-Processors 7. Incident Response 8. Business Continuity 9. Compliance & Certifications 10. Employee Security 11. Vulnerability Management 12. Your Responsibilities 13. Contact Us

1. Infrastructure Security

The Avantwerk platform is hosted on enterprise-grade cloud infrastructure provided by our technology partners. Our infrastructure security measures include:

Cloud Hosting

Hosted on Google Cloud Platform (GCP) and Amazon Web Services (AWS) with SOC 2, ISO 27001, and GDPR-compliant data centres.

Geographic Redundancy

Data is replicated across multiple availability zones to ensure high availability and disaster recovery.

Physical Security

All data centres employ 24/7 security personnel, biometric access controls, CCTV surveillance, and environmental controls.

DDoS Protection

Cloudflare enterprise-grade DDoS mitigation and Web Application Firewall (WAF) protect all endpoints.

2. Data Encryption

All data is encrypted both in transit and at rest using industry-standard encryption protocols.

In Transit: All communications use TLS 1.2 or higher. We enforce HTTPS across all services and API endpoints. HSTS headers are enabled on all domains.
At Rest: Data stored in databases and file systems is encrypted using AES-256 encryption. Encryption keys are managed through cloud-native key management services (KMS) with automatic rotation.
Backups: All backups are encrypted using AES-256 and stored in geographically separate locations from primary data.

3. Access Control

We implement strict access control policies based on the principle of least privilege.

Role-Based Access Control (RBAC): Access to systems and data is granted based on job function and business need. Permissions are reviewed quarterly.
Multi-Factor Authentication (MFA): MFA is mandatory for all internal systems, administrative access, and partner dashboard logins.
Single Sign-On (SSO): Available for enterprise partners and internal systems.
Session Management: Automatic session timeout after periods of inactivity. Concurrent session limits are enforced.
Audit Logging: All access to sensitive data and administrative actions are logged and monitored. Logs are retained for a minimum of 12 months.

4. Application Security

Security is integrated into every stage of our software development lifecycle.

Secure Development: All code undergoes peer review before deployment. Security-focused code reviews are conducted for sensitive components.
OWASP Top 10: Our development practices address the OWASP Top 10 security risks, including injection attacks, cross-site scripting (XSS), and broken authentication.
Dependency Scanning: Automated scanning of third-party libraries and dependencies for known vulnerabilities.
Input Validation: All user inputs are validated, sanitised, and parameterised to prevent injection attacks.
API Security: All API endpoints require authentication via OAuth 2.0 or API keys. Rate limiting and throttling are enforced to prevent abuse.

5. Network Security

Our network architecture is designed with defence in depth to protect against unauthorised access and threats.

Firewalls: Network and application-layer firewalls control all inbound and outbound traffic. Default-deny policies are enforced.
Segmentation: Production, staging, and development environments are isolated from each other. Customer data is logically separated.
Intrusion Detection: Intrusion detection and prevention systems (IDS/IPS) monitor network traffic for suspicious activity around the clock.
CDN & WAF: Cloudflare provides content delivery, DDoS mitigation, and web application firewall protection for all public-facing services.

6. Data Processing & Sub-Processors

Bennovate uses a limited number of vetted sub-processors to deliver the Avantwerk platform. Each sub-processor is contractually bound to maintain appropriate security standards.

Sub-Processor	Purpose	Location
HighLevel (GoHighLevel)	Core platform infrastructure — CRM, automations, websites, funnels	United States
Google Cloud Platform	Cloud hosting, data storage, computing	EU / US
Amazon Web Services	Cloud hosting, data storage, computing	EU / US
Mailgun (Sinch AB)	Transactional and marketing email delivery	EU / US
Twilio	SMS and voice communications	United States
Stripe	Payment processing	United States
Cloudflare	CDN, DDoS protection, DNS, WAF	Global

Data transfer safeguards: Where personal data is transferred outside the EEA/UK, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where available. All sub-processors maintain SOC 2 compliance or equivalent certifications.

7. Incident Response

Bennovate maintains a formal incident response plan to handle security events promptly and effectively.

Detection: Automated monitoring and alerting systems detect potential security incidents in real time.
Classification: Incidents are classified by severity (Critical, High, Medium, Low) with defined response times for each level.
Response: Our incident response team follows documented procedures for containment, investigation, and remediation.
Notification: In the event of a data breach affecting personal data, we will notify the relevant supervisory authority (ICO for UK data) within 72 hours as required by UK GDPR. Affected individuals will be notified without undue delay where the breach poses a high risk to their rights and freedoms.
Post-Incident Review: All significant incidents undergo a post-mortem review to identify root causes and implement preventive measures.

8. Business Continuity

Our business continuity and disaster recovery plans ensure service availability and data integrity.

Uptime Target: 99.9% platform availability, monitored continuously.
Automated Backups: Daily automated backups with point-in-time recovery capability. Backups are tested regularly.
Disaster Recovery: Documented disaster recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Redundancy: Critical services are deployed across multiple availability zones with automatic failover.

9. Compliance & Certifications

Bennovate and our infrastructure partners maintain compliance with major security and data protection standards.

GDPR (EU) 2016/679

Full compliance with the General Data Protection Regulation for EU data subjects.

UK GDPR & DPA 2018

Compliance with UK data protection legislation, including the Data Protection Act 2018.

SOC 2 Type II

Our core infrastructure providers (GCP, AWS, Stripe) maintain SOC 2 Type II certification.

ISO 27001

Our hosting providers are ISO 27001 certified for information security management.

PCI DSS

Payment processing through Stripe is PCI DSS Level 1 compliant. Bennovate does not store card details.

PECR / ePrivacy

Cookie and electronic communications compliance under the Privacy and Electronic Communications Regulations.

10. Employee Security

All Bennovate team members and contractors undergo security awareness training and are bound by confidentiality obligations.

Background Checks: Pre-employment screening is conducted for roles with access to sensitive data.
Security Training: Mandatory security awareness training upon joining and annual refresher training for all personnel.
Confidentiality: All team members sign non-disclosure agreements covering confidential information and personal data.
Offboarding: Access to all systems is revoked immediately upon termination of engagement. Equipment and credentials are returned or wiped.

11. Vulnerability Management

We proactively identify and remediate security vulnerabilities across our systems.

Regular Scanning: Automated vulnerability scanning is performed on all public-facing services and internal systems on a continuous basis.
Patch Management: Critical and high-severity patches are applied within 72 hours of release. Regular patching cycles cover medium and low-severity updates.
Penetration Testing: Annual third-party penetration testing is conducted on key platform components. Findings are remediated based on severity.
Responsible Disclosure: We welcome responsible disclosure of security vulnerabilities. Please report any findings to [email protected].

12. Your Responsibilities

Security is a shared responsibility. To help keep your account and data secure, we recommend:

Strong Passwords: Use unique, complex passwords for your Avantwerk account. We recommend using a password manager.
Multi-Factor Authentication: Enable MFA on your account for an additional layer of security.
Phishing Awareness: Be vigilant against phishing attempts. Bennovate will never ask for your password via email or phone.
Access Management: Review and manage user permissions within your account regularly. Remove access for team members who no longer require it.
Report Suspicious Activity: If you notice any suspicious activity on your account, contact us immediately at [email protected].