Designed for client-owned data from the start.

Tenant-scoped data access is enforced server-side.

Civxis-to-Avoras provisioning is signed, timestamped, and idempotent.

Payment provider secrets stay in Civxis backend services.

Browser sessions use HTTP-only cookies; mobile uses bearer-session foundations.

Operational setup and workflow actions are designed for audit trails.