Legal

How Avo handles your code, keys, and data

Effective date: May 11, 2026

Last updated: May 11, 2026

01Code Ownership

You own everything we write.

Every line of code, schema, and config goes into your repo from day one. We commit to your GitHub, GitLab, or Bitbucket org under your access controls.

At project close we transfer ownership of any repo, container registry, or domain we provisioned for the work. No license, no royalty, no usage cap. You can delete us and keep shipping.

02No Shared Infrastructure

Your project runs on your accounts.

We do not run your production code on shared Avo servers. Compute lives on your Vercel, AWS, GCP, Hetzner, or self-hosted account. Databases live on your Neon, Supabase, RDS, or self-hosted instance.

Avo never holds your production data. We get scoped access during the build, and that access is revoked on handover.

03Key and Credential Handover

Secrets you control.

API keys, OAuth credentials, and service tokens are provisioned in your name. We use your Anthropic, OpenAI, Stripe, Resend, and infrastructure accounts. You see every key in your own dashboards.

At handover we hand back any temporary credentials we created for ourselves, and you rotate them. We document every external dependency in the project README.

04Environment Variable Management

1Password-vaulted, never in chat.

Project secrets live in a 1Password vault you control. We do not send credentials over email, Slack, or Discord. CI pipelines pull from your provider's encrypted env store, not from a checked-in file.

.env files are gitignored. Local development uses dotenv with values copied from the shared vault. Production reads from Vercel, AWS Parameter Store, or your secrets backend of choice.

05Transport and Storage Encryption

TLS 1.3, AES-256 at rest.

Every endpoint we build defaults to HTTPS with HSTS. We do not ship plaintext HTTP routes. WebSocket connections use WSS.

Production servers we operate run full-disk encryption (LUKS on Linux). Databases are configured with TLS for client connections. Backups are encrypted before they leave the host.

06Dependency Audits

Every build, every release.

npm audit, cargo audit, and pip-audit run in CI on every push. High and critical CVEs block merges until they are patched, suppressed with justification, or upgraded.

We pin direct dependencies and review transitive upgrades. Lockfiles ship with every deploy.

07Reporting a Vulnerability

If you find a vulnerability in code we shipped to you or in this site, email security@avogrowth.com. We acknowledge within 48 hours and ship a patch on a timeline proportional to severity.

We do not run a paid bug bounty, but we will credit you publicly if you would like.