AvaTok Trust & Safety / Security Policy

1. ALLOWED USE

AvaTok is a platform for paid creator work. Coaching, tutoring, consulting, mentorship, performance, education, live commerce, and general-interest content are all welcome. The platform does not exist to host static publishing or anonymous chat — every product surface (live streaming, 1:1 sessions, group sessions, marketplace, live tipping) involves payment from viewers to creators and a real human on each side.

2. PROHIBITED CONTENT & BEHAVIOR

The following are not permitted anywhere on Avatok — listings, streams, sessions, profiles, chat, or DMs. Severity and enforcement vary as noted.

• Sexual content involving minors, or content that could reasonably be read as targeting minors. Zero tolerance: account termination on first confirmed report, balance held pending review, escalation to law enforcement where applicable.
• Sexually explicit adult content, regardless of viewer age. AvaTok is not the platform for that work; listings and accounts are removed.
• Threats, doxxing, stalking, harassment, or coordinated abuse. Permanent ban on first confirmed report.
• Sale of regulated or controlled substancesthrough any product surface, including live commerce. Listings removed, account suspended, referred to authorities where required.
• Fraud — chargeback farming, fake bookings, account takeovers, payment-rail abuse. Account suspended, funds held pending investigation, reported to Stripe.
• Hate speech, content inciting violence, or terrorist content. Account terminated.
• Copyright infringement. Handled per the DMCA takedown process below.
• Misrepresentation — impersonating another person or organization, misleading credentials, false outcome promises.

3. AGE GATE

Every creator and viewer must be at least 18. Creators are KYC- verified at onboarding via Stripe Identity. Viewers attest at sign-up and are verified on flag. If we determine through any signal that a participant is under 18, the account is terminated, any balance is held pending review, and the case is escalated to law enforcement where applicable. There is no warning step for this.

4. MODERATION

AvaTok runs a layered moderation system rather than a single moderator-per-stream model:

• Pre-publication checks. Listings, profile photos, channel art, and uploaded videos are screened by automated content classifiers before reaching the public marketplace.
• Live-stream sampling. Short frames are sampled from live broadcasts at a configurable cadence and classified. Streams that exceed risk thresholds are surfaced to a human moderator queue in real time.
• User reporting. Every paid session and listing has a Report button. Reports are triaged inside 24 hours; clear policy violations are closed inside 72 hours.
• Trust signals. Repeat reports, refund patterns, chargebacks, and KYC failures feed a per-account trust score that controls which features the account can use.

5. REPORTING

Three paths, depending on the kind of issue:

• In-product report from the session toolbar or the kebab menu on a listing / profile. Fastest path for policy violations on a specific surface.
• Trust & safety email: trust@avatok.ai. Use this for anything that needs context the in-product reports can't carry — DMCA, legal threats, off-platform safety issues, urgent harm.
• Legal: legal@avatok.ai for DMCA notices, subpoenas, contract issues, GDPR/CCPA data requests.

Acknowledgement within 24 hours. Imminent-harm cases prioritized; mark the subject line URGENT.

6. DMCA TAKEDOWN PROCESS

AvaTok complies with the Digital Millennium Copyright Act. A facially valid takedown notice must include: identification of the copyrighted work, the URL(s) of the allegedly infringing material, a good-faith statement that the use is unauthorized, a statement under penalty of perjury that you are the rights holder or authorized agent, your contact information, and your physical or electronic signature.

Send to legal@avatok.ai with subject DMCA takedown. We acknowledge inside 24 hours. Counter-notices are handled per the statutory procedure.

Repeat infringers — three confirmed strikes in a rolling 12-month window — are terminated under our repeat-infringer policy.

7. APPEALS

If you believe a moderation decision was wrong, reply to the close-out email. A second human reviewer takes a fresh look. We change decisions when we're wrong; we don't change them under pressure when we aren't.

8. SECURITY POSTURE

The platform is built on tooling that defaults to safe rather than safe-after-configuration. The current posture:

• Encryption in transit. All web traffic is HTTPS- only with HSTS and TLS 1.2+ negotiated; mixed-content is blocked.
• Encryption at rest. Application data is stored in Supabase Postgres with encryption-at-rest on the underlying volumes. Storage buckets are encrypted server-side.
• Row-level security (RLS). Every user-owned Postgres table has RLS enabled. Reads and writes from the application are scoped per-user; administrative operations use a separate service-role path explicitly.
• KMS-backed secrets. All API keys (Stripe, Brevo, OpenAI, etc.) live in Vercel's encrypted environment store and are never committed to the repo or rendered to the client bundle.
• Payment isolation. Avatok does not see your card number. Stripe Elements collects the card data directly in an isolated iframe; we receive a token, not a PAN.
• Identity verification. KYC is handled by Stripe Identity. We see the verification result, not the underlying ID document or selfie.
• Bot protection. Auth endpoints are protected by Cloudflare Turnstile; rate-limiting on sensitive endpoints (login, password reset, contact form, signup) sits in Upstash Redis.
• Audit logs. Sensitive operations (KYC submission, payout request, password change, content takedown) are logged with actor, timestamp, and IP. Logs are retained for 12 months in production.

9. ACCESS CONTROLS

Access to production data is restricted to a small set of named engineers via single-sign-on with hardware MFA. Vendor access is least-privilege scoped, time-bounded, and revoked when the engagement ends. We do not grant production database access to anyone outside the operating company.

10. INCIDENT RESPONSE

If we identify a security incident that may impact user rights or data:

• Assess the scope, contain the issue, and remediate.
• Notify affected users without undue delay, and in any case within 72 hours where required by GDPR or analogous law.
• Notify relevant regulatory authorities where required.
• Publish a post-mortem with timeline, root cause, and remediation for material incidents.

To report a security vulnerability privately, email security@avatok.ai. We do not currently run a paid bug bounty but we acknowledge and credit responsible disclosure.

11. SUBPROCESSORS & INTERNATIONAL TRANSFERS

Avatok uses a defined set of subprocessors to operate the platform — including Supabase (database, storage), Vercel (hosting), Cloudflare (CDN, DNS, security), Stripe (payments and identity), Brevo (email), Clerk (authentication), Stream Video (live and 1:1 calls), Upstash (Redis cache + queue), and PostHog EU (analytics). Each is bound by a Data Processing Agreement.

Personal data is processed in the United States, the European Union, and where subprocessors operate. International transfers rely on Standard Contractual Clauses or equivalent approved mechanisms where required.

12. RETENTION

Account profile data is retained for the life of the account. Transaction data is retained for 7 years to satisfy US financial reporting requirements; the rest is removed on account deletion (subject to a 30-day grace window for restoration). Audit logs are retained for 12 months.

13. UPDATES

We update this policy when our practices change. Material changes are summarized at the top of the page with a new effective date.

14. CONTACT

Trust & safety: trust@avatok.ai
Security disclosures: security@avatok.ai
Legal / DMCA: legal@avatok.ai
General: support@avatok.ai

AvaTok is operated by AvaGlobal International, Inc.