Avrea is ISO 27001:2022 certified
What that actually means when we run your code.
Early 2026, Avrea Ltd received its ISO 27001:2022 certification. The certification covers everything we do.
You can find the certificate, scope, and details about the certification body on our Trust page and verify it independently through IAFCertSearch.
Avrea is a drop-in replacement for GitHub Actions runners, so this certification isn't just about internal processes. It applies directly to the infrastructure that runs your code.
Why CI security is different
Most security practices focus on protecting stored data and controlling access to it.
CI is a bit different because we're not just storing your data. We're running your code on our hardware.
That changes the problem. Encrypting data at rest doesn't solve much if the environment running the code isn't secure. What really matters is the runner itself: it should start clean, run a single job, and then disappear.
That's exactly how Avrea works. Every runner is an ephemeral VM that exists only for the duration of a job. Once the job finishes, the VM is destroyed. There's no shared state between jobs — no leftover processes, no lingering files, no contamination from previous runs. Build caches are stored separately and served to new VMs on demand, so you get speed without compromising isolation.
It's built this way not because we needed to pass an audit, but because running other people's code safely demands it. The ISO certification is just independent confirmation that the surrounding controls, like access management, change tracking, supplier reviews, and incident response, are solid.
How we got certified in six months
ISO 27001 projects usually take 9–12 months. We completed ours in about six months.
The main reason is simple. We didn't have to bolt security on afterward. Most of the required practices were already part of how we build and operate.
Code is automatically scanned. New features go through a security check before release. Access is tightly scoped by default. Pull requests need to pass required checks before merging. Alerts go directly to the people responsible for the systems.
We follow these practices because they're the right way to run infrastructure that executes customer code. The audit simply verified that everything was already in place.
Starting from scratch also helped. Without legacy systems, we didn't have to untangle old habits. Instead, we could design workflows correctly from day one.
We used compliance tools for the repetitive parts like evidence collection and control monitoring, which let us focus on the areas that actually require judgment.
If you're considering Avrea
Using a CI provider means trusting them with your source code and secrets on every run. You should be able to verify how that's handled — we'd expect the same.
That's why we make everything public: the certificate, scope, and control documentation are all available on our Trust page. For most security teams, ISO 27001:2022 answers a large part of the typical vendor review questions.
See how the runners perform
The certification applies to the same infrastructure our benchmarks run on. Here's what it looks like in practice:
- Linux kernel builds 68x faster on Avrea than GitHub Actions
- Next.js builds 142x faster with Turborepo cache on Avrea
- Bazel builds 39.7x faster with remote cache on Avrea
This isn't the finish line
ISO 27001 involves annual audits and a full recertification every three years. But attackers don't follow audit schedules.
For us, security isn't a checklist. It's part of how we build and operate Avrea. Running customer code means continuously reviewing risks, tightening controls, and improving how we handle code and secrets.
