Security by design — not compliance-checked after the fact.
AVIEL operates inside your PSP notification stack. That means we touch real customer session data and real scammer conversations — data governed by UK GDPR, processed under RIPA 2000 lawful interception provisions, and never in contact with your transaction layer. This page sets out exactly how that works.
Four non-negotiables
No fund movement — ever
AVIEL never touches the transaction layer. We operate exclusively in the communication layer. There is no path in our architecture by which AVIEL can hold, move, or redirect funds.
Conversation data encrypted in transit and at rest
AES-256 encryption at rest. TLS 1.3 in transit. Conversation data is never stored in plain text. Key management is separated from data storage.
UK GDPR compliant by design
Data processed under UK GDPR. ICO registered. DPA signed with all PSP customers before data processing begins. Lawful basis documented for every data type we handle.
RIPA 2000 compliant interception
Lawful interception conducted at PSP instruction under RIPA 2000. Legal opinion on this framework is available to Prevent customers on request. We don't hide the legal structure.
Data handling, retention and access
| Data type | Processing | Retention | Access |
|---|---|---|---|
| Customer conversation data | Encrypted at rest (AES-256), TLS 1.3 in transit | 90 days | PSP fraud ops only, via authenticated API |
| Scammer fingerprint data | Anonymised hash — no PII retained | 6 months | Cross-PSP intelligence feed (consent required per DPA) |
| PSP API credentials | Vault-stored (HashiCorp Vault), never logged | Active only — deleted on contract termination | Rotated on request, automatic 90-day rotation on Prevent |
| Intercept event metadata | Structured JSON, schema versioned | 24 months (billing reconciliation) | PSP account admin only |
Built with SOC 2 controls in mind. Formal certification is in our roadmap for 2026. We will not claim certification before it is achieved.
Responsible disclosure
Found a vulnerability? Email [email protected] — we respond within 48 hours. PGP key available on request. We follow coordinated disclosure.