Avature Cloud Security

We care about your data as much as you do. Here’s how we ensure information security in the cloud, from the ground up.

Third-Party Accreditations

The Avature Difference

When it comes to security, what makes Avature stand out? Security is woven into our modern SaaS solutions, not tacked on as an afterthought to outdated legacy software. We design and engineer our global enterprise solutions for the cloud and we commit to our customers by offering service-level agreements. As a SaaS (Software as a Service) provider, we have been helping over 650 companies – including leading banks, retailers and technology companies – mitigate risk and meet compliance requirements for over 10 years. Our clients operate in more than 100 countries and 30 languages around the world, including in industries with strict regulations such as finance, insurance, healthcare, education and government.

You Are in Control

Our customers maintain complete control over their data while using our solutions. As your data processor, we care about your data and are responsible for its confidentiality, integrity, availability and resilience. Our emphasis on configurability allows you to design your system to comply with your needs, and to incorporate custom security measures should you require them. Our flexible configurations also mean we adapt with you as your needs evolve. There is no delay for daily tasks:

  • You create reports and configure notifications.
  • You have a complete view of historical data and past changes, including logs for individual access.
  • You assign roles and configurations so you can immediately grant access to the right level of information and modify access as your needs change. For example, you can make names or alma maters on CVs anonymous or conceal protected fields such as disability.

More Than Our Word

Every day we take exceptional measures to protect your data, without ever compromising performance. We continuously improve our solutions by employing a rapid release cycle to launch new versions biweekly. We are also constantly expanding our security certifications. We have a one platform approach so that our customers benefit from seamless integrations and centralized information, while processing data separately for superior security.

Industry Leaders Trust in Avature


of the world's 15
largest banks


of the 10 largest
tech companies


of the Forbes
Global 100


of the world's 15
largest banks


of the 10 largest
tech companies


of the Forbes
Global 100

Visit our Customers page

Some SaaS providers charge exorbitant costs to recover customer data or have a data recovery process that takes multiple weeks. We demonstrate our commitment to making your data expeditiously available by using a Service Level Agreement (SLA). We also apply the open/closed and extensibility principles in our agile approach to software development, so our solutions evolve lockstep with your needs.

Highly Scalable

Across countries and industry changes, we have the flexibility and configurability to keep growing with you. We offer over 100 standard integrations—contact us for the full list or take a look at some of the more common ones on our Partners page. As a leading provider of HCM software, every Avature instance can be accessed from anywhere in the world at any time through the internet, or restricted geographically or even by office location to meet your chosen security constraints.

Thin Client

Avature supports all common commercial browsers, including IE, Firefox, Chrome, and Safari, and is accessible from Blackberry, iOS and Android. Avature does not use Adobe Flex, Active X or Java plug-ins, so there are no special configurations required for desktop. Avature is also mobile responsive, so there are no limitations when accessing from mobile devices.

Data Backup

Avature performs a complete backup of each customer’s data through a daily incremental/differential backup and a weekly full dump backup. Backups are stored in two separate production environments and restoration functions are tested periodically.

Disaster Recovery

Each Avature instance has a replicated instance running in another Avature data center with the same security measures, providing high uptime and multi-site redundancy. In the unlikely event of a data incident, Avature provides RPOs and RTOs in its SLAs, so you know how fast you can expect to be back to full performance.

We help our customers adapt to increasingly stringent compliance, regulatory and legal requirements around the world with our high configurability and flexibility. Compliance requirements might range from GDPR in Europe, to equal opportunity employment and OFCCP in the United States, to country-specific laws such as Australia’s Privacy Act of 1988 or those regulating data in Russia. Our solutions allow for accurate and automatic collection and storage of compliance-related data, including search criteria and results. You can prompt consent before any profile is created, send reminders to stakeholders before information is erased, process records differently based on date or country, and anonymously retain or delete select types of information. Our options for duplicate management also help to ensure that all profiles of an individual are processed the same. Please see related content, below, for further information about working with GDPR or OFCCP requirements.

Please note that Avature does not collect personal data for resale, sell personal data it has collected or sell access to personal data. You can read complete details of our data privacy policy here.

While we design our portals to be accessible, we advise our customers to seek guidance from their legal counsel, as we cannot ensure configuration choices are compliant with your regulatory obligations.

We offer worldwide, controlled access hosting on our private cloud or on any Amazon Web Services (AWS) public cloud. Our applications are single tenant, so each customer selects their operating zone for the data centers that house both their primary and secondary instances of the application. We have offered these services for over 10 years, and include AWS Gov Cloud (AWS FedRAMP) among the options we are currently prepared to offer.

Avature’s Private Cloud

Avature’s private cloud model is based on NIST 800 and prevailing industry best practices. Our security architecture and proprietary SaaS tools are developed by the Avature IT and Architecture Framework Team. Our private cloud is managed by Avature’s security engineers, without third-party involvement, while being physically located in neutral co-location data centers.

Co-location Data Centers

In our private cloud, customers can choose to have their data stored in the United States, Europe or Asia. Avature hosts in Tier 3+ data centers, which means they achieve among the highest ranking in availability and security procedures. All systems are N+1 redundant and all have SOC Type 2 audit report or ISO 27001/2 certification. In addition, because Avature uses hardware encryption and our cages are locked and monitored, no data-center providers are able to access customer data.

Data Center Geographical Locations:

  • New York & New Jersey, United States
  • Amsterdam, The Netherlands
  • Frankfurt, Germany
  • Moscow, Russia
  • Shanghai, China

Separate Databases, Combined Defense

We separate data processing for different customers and their different purposes. Avature’s state-of-the-art SaaS model gives each customer their own completely separate logical instance of the application for access over the Internet.

We do not pool our data, so there is no one place where all customer information is accessible. Yet by sharing a common code base for hundreds of customers, Avature identifies problems before most customers report them. This significantly reduces the cycle time for fixes and makes it possible for Avature to deliver outstanding service to all our customers.

Mitigating Risk Through Constant Updates

We minimize risks by employing a biweekly rapid release cycle. Our uniquely configurable system enables our customers’ bespoke configurations to upgrade seamlessly alongside new releases. Each release is subjected to over 4000 tests, including checks to certify speed and tests against the top 10 OWASP threats.

A Payment Card Industry (PCI) certified third-party security company also performs a biannual penetration test and audit for our application, mobile app and network. Our customers are welcome to access those results at any time. Customers frequently exercise their right to perform pentests and audits, with one or more typically being performed by a customer at any given time.

Network Security

Avature gateways are protected by application firewalls configured to protect against Denial-of-Service (DOS) attacks. Avature runs intrusion-detection software to detect any abnormal traffic patterns and performs weekly automated network vulnerability scans of our outer perimeter across our entire IP range. We have an enabled hot patch process and are manned 24/7. The biannual pentest and audit performed by a PCI certified third-party company for our applications includes our network as well.

Zero-Trust Principle

Confidentiality, data privacy and compliance are important to all of us. Everyone at Avature participates in a formal security program, including training, background checks and use of physical security measures. We apply the zero trust principle and monitor and segment access by our own people. Avature runs the security zone where customer data is located as a separate network that is only accessible to a specially authorized segment of our employees.

Access Control

Access to your data is secure at every stage. Data moves from your browser to our servers using strong encryption and is also secured when at rest in our production environments. Access to our software is user-specific and supported by single sign-on, including two-factor authentication and biometric. Access is logged in real time and available to User Admins, who are able to manually terminate user sessions from the report. Customers can also choose additional security options such as IP whitelisting and hardware-specific certificates for authentication.

Want to Learn More About Our Security Measures?

Request Info