Security at Gavelnet.ai

Gavelnet.ai is operated by Aria Data Labs Pte. Ltd. Security and trust are foundational to our platform. This page outlines our current controls and commitments. For legal terms, please see our Terms of Use and Privacy Policy.

Last updated: 7 September 2025

Our Security Commitments

Defence in depth: Multiple layers of controls across infrastructure, application, and process.
Transparency: We document our approach and respond promptly to reasonable security enquiries.
Privacy by design: We align with the Singapore PDPA and minimise data collection where practical.

Data Protection & Encryption

In transit: All traffic to and from Gavelnet.ai is protected with TLS (HTTPS).
At rest: Data stored in our databases and object storage is encrypted using industry-standard algorithms (e.g., AES-256 or provider equivalent).
Secrets management: Credentials and keys are stored securely and rotated on a defined schedule.

Identity, Access & Authentication

Role-based access control (RBAC): Access is granted by role and least-privilege principles.
MFA for admins: Multi-factor authentication is required for privileged accounts.
Enterprise options: Planned support for SSO and directory integrations (e.g., Active Directory / LDAP) per customer requirements.

Infrastructure & Monitoring

Managed cloud: Production runs on reputable cloud infrastructure with physical security and redundancy provided by the cloud vendor.
Logging & alerting: Centralised logs, metrics, and alerts for key events and performance thresholds.
Backups: Regular encrypted backups and tested restoration procedures for core data stores.

Application Security

Secure development lifecycle: Code review, dependency management, and awareness of OWASP Top 10 risks.
Vulnerability management: Regular scanning of application and dependencies; timely remediation based on severity.
Penetration testing: Periodic third-party testing is planned and may be coordinated with enterprise clients.

Data Handling & Compliance

PDPA alignment: We collect only what we need to deliver and improve the service and handle personal data in line with the Singapore Personal Data Protection Act.
Data residency: Hosting regions are chosen to meet performance and regulatory expectations. Enterprise deployments can request specific regions where available.
Customer content: For enterprise integrations (e.g., document management systems such as iManage, NetDocuments, or SharePoint), data access is scoped to the customer’s tenancy and permissions.

Incident Response

Monitoring & triage: We monitor for anomalous activity and follow runbooks for investigation and containment.
Notification: In the event of a data incident affecting customers, we will notify impacted parties without undue delay and provide updates as we learn more.
Post-incident review: We document root cause and corrective actions to prevent recurrence.

Third-Party Vendors

Due diligence: We assess material vendors for security posture and contractual safeguards.
Minimum necessary: Data shared with service providers is limited to what is required to deliver the service (e.g., hosting, email, analytics).

Customer Responsibilities

Protect login credentials and enable MFA where available.
Limit user permissions to least privilege within your organisation.
Report suspected security issues to us promptly.

Responsible Disclosure

We welcome reports from security researchers acting in good faith. If you believe you’ve found a vulnerability, please email security@ariadatalabs.com with details and reproduction steps. Do not publicly disclose issues until we have confirmed and addressed them. We do not authorise testing that degrades service or accesses other customers’ data.

Contact the Security Team

For security questions, vendor due diligence, or enterprise enquiries, contact security@ariadatalabs.com or info@ariadatalabs.com.