Skip to main content

Security Overview One-pager

This document provides a high-level overview of Mavaro Systems LLC's security posture, architecture, and compliance standards.

Hosting & Architecture Snapshot

Cloud Infrastructure:

  • Primary Provider: AWS with multi-region deployment
  • Architecture: Containerized microservices on Kubernetes (EKS)
  • CDN: CloudFlare for global content delivery and DDoS protection
  • DNS: Route 53 withDNSSEC enabled and domain-level security
  • Regions: Primary (US-East), Secondary (EU-West), Disaster Recovery (US-West)

Network Architecture:

  • VPC Configuration: Multi-AZ deployment with private/public subnets
  • Load Balancing: Application Load Balancers with SSL termination
  • API Gateway: AWS API Gateway for external API access
  • WAF: Web Application Firewall withOWASP Top 10 protection
  • Network Segmentation: Strict network isolation between environments

Encryption Standards & Implementation

Data Encryption:

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 for all communications
  • Database: Transparent Data Encryption (TDE) for all databases
  • Object Storage: Server-side encryption with customer-managed keys
  • Backup Encryption: AES-256 encrypted backups with separate key management

Key Management:

  • Hardware Security Modules (HSM): AWS CloudHSM for key generation and storage
  • Key Rotation: Automated 90-day rotation for encryption keys
  • Certificate Management: Automated SSL/TLS certificate management via AWS Certificate Manager
  • Secrets Management: HashiCorp Vault for application secrets and API keys

Backups & DR/BCP Procedures

Backup Strategy:

  • Automated Backups: Daily full backups, hourly incremental
  • Retention Policy: 30-day rolling backups, 7-year retention for audit requirements
  • Geographic Distribution: Backups stored in multiple AWS regions
  • Testing: Monthly backup restoration testing and verification

Disaster Recovery/Business Continuity:

  • RTO (Recovery Time Objective): 4 hours for critical services
  • RPO (Recovery Point Objective): 1 hour for all production data
  • Failover Procedures: Automated failover to secondary region
  • BCP Testing: Quarterly DR drills and annual full-scale BCP testing
  • Communication Plan: Automated incident communication system

Access Controls & Authentication

Multi-Factor Authentication (MFA):

  • Required for All: MFA mandatory for all system access
  • Methods: FIDO2/WebAuthn preferred, TOTP and SMS backup
  • Hardware Keys: Required for administrative and production access
  • Biometric: Biometric authentication where supported

Identity & Access Management:

  • Single Sign-On (SSO): SAML 2.0 integration with Okta
  • Role-Based Access Control (RBAC): Granular role-based permissions
  • Just-In-Time Access: Temporary elevated access for specific tasks
  • Regular Reviews: Quarterly access reviews and certification

Monitoring & Alerting Systems

Security Information & Event Management (SIEM):

  • Platform: Splunk Enterprise Security for log aggregation and analysis
  • Real-time Monitoring: 24/7 monitoring with automated threat detection
  • Alerting: Tiered alerting system with escalation procedures
  • Forensic Analysis: Automated forensic data collection and preservation

Infrastructure Monitoring:

  • Performance Monitoring: Datadog for application and infrastructure monitoring
  • Security Scanning: Continuous vulnerability scanning with Rapid7 InsightVM
  • Penetration Testing: Annual third-party penetration testing
  • Compliance Monitoring: Automated compliance checks and reporting

Data Residency & Jurisdiction

Data Location:

  • Primary Storage: United States (AWS US-East region)
  • Secondary Storage: European Union (AWS EU-West region)
  • CDN Edge Locations: Global CloudFlare network
  • Backup Storage: Cross-region backup distribution

Regulatory Compliance:

  • Data Residency: Compliant with US and EU data residency requirements
  • Privacy Laws: GDPR and CCPA compliant data handling procedures
  • Industry Standards: SOC 2 Type II and ISO 27001 compliance
  • Data Transfer: Standard Contractual Clauses for international data transfers

Compliance Posture & Attestations

Certifications & Standards:

  • SOC 2 Type II: Annual audit with continuous monitoring
  • ISO 27001: Information security management system certification
  • PCI DSS: Compliance for payment processing capabilities
  • HIPAA: Healthcare data protection where applicable

Third-Party Audits:

  • Annual Pen Testing: Independent security assessments
  • Quarterly Vulnerability Assessments: Automated and manual testing
  • Monthly Compliance Reviews: Internal compliance verification
  • Vendor Security Reviews: Annual third-party security assessments

Shared Responsibility Model

Mavaro Systems Responsibilities:

  • Application security and code vulnerability management
  • Customer data encryption and access controls
  • Infrastructure patching and security updates
  • Incident response and security event management
  • User access provisioning and authentication

Customer Responsibilities:

  • User credential management and MFA configuration
  • Data classification and sensitivity labeling
  • Integration security and API key management
  • Incident notification and escalation
  • Compliance requirements for their end users

Third-Party Provider Responsibilities:

  • Cloud infrastructure security (AWS)
  • Content delivery security (CloudFlare)
  • Identity provider security (Okta)
  • Monitoring and security tooling vendors

Document Classification: Public Security Document
Access Level: All Personnel
Last Updated: November 26, 2025
Next Review: February 26, 2026