Security by design — not compliance-checked after the fact.

AVIEL operates inside your PSP notification stack. That means we touch real customer session data and real scammer conversations — data governed by UK GDPR, processed under RIPA 2000 lawful interception provisions, and never in contact with your transaction layer. This page sets out exactly how that works.

Four non-negotiables

No fund movement — ever

AVIEL never touches the transaction layer. We operate exclusively in the communication layer. There is no path in our architecture by which AVIEL can hold, move, or redirect funds.

Conversation data encrypted in transit and at rest

AES-256 encryption at rest. TLS 1.3 in transit. Conversation data is never stored in plain text. Key management is separated from data storage.

UK GDPR compliant by design

Data processed under UK GDPR. ICO registered. DPA signed with all PSP customers before data processing begins. Lawful basis documented for every data type we handle.

RIPA 2000 compliant interception

Lawful interception conducted at PSP instruction under RIPA 2000. Legal opinion on this framework is available to Prevent customers on request. We don't hide the legal structure.

Data handling, retention and access

Data type Processing Retention Access
Customer conversation data Encrypted at rest (AES-256), TLS 1.3 in transit 90 days PSP fraud ops only, via authenticated API
Scammer fingerprint data Anonymised hash — no PII retained 6 months Cross-PSP intelligence feed (consent required per DPA)
PSP API credentials Vault-stored (HashiCorp Vault), never logged Active only — deleted on contract termination Rotated on request, automatic 90-day rotation on Prevent
Intercept event metadata Structured JSON, schema versioned 24 months (billing reconciliation) PSP account admin only

Built with SOC 2 controls in mind. Formal certification is in our roadmap for 2026. We will not claim certification before it is achieved.

Responsible disclosure

Found a vulnerability? Email [email protected] — we respond within 48 hours. PGP key available on request. We follow coordinated disclosure.

Contact security team