Privacy and Security in the Avature Cloud
Our leading technology and extensive operating experience ensure that our customer data is processed in compliance with leading privacy regulations, including GDPR, CCPA, HIPAA, PIPEDA, PIPL, APPI, and the Australian Privacy Act.
The Avature Difference
For over 15 years Avature has provided data processing services designed to advance the fundamental privacy principles of notice, choice, access, use and disclosure.
We allow our customers to define differentiated configurations of the SaaS platform to achieve compliance with their specific privacy obligations in the jurisdictions where they operate. These data controller options, when combined with our mature organizational controls, technical safeguards, and data localization capabilities, present one of the most comprehensive privacy compliant data processing options available today.
Avature, in its capacity as a data processor, maintains compliance with all major internationally binding privacy regulations, treaties, and conventions. Our robust information-security program is designed to prevent unauthorized access to customer data, and our technical architecture ensures the availability and integrity of customer data at all times.
To learn more about Avature’s approach to privacy, click here.
Certifications & Audits
Avature first achieved its ISO certification in 2017. This globally recognized, standards-based approach to security outlines Avature’s information security management system (ISMS). Avature is independently audited and assessed against this standard annually, with recertification occurring on a triennial basis.
Avature first achieved its SOC 1 certification in 2013. The SOC 1, composed of the former SAS 70 and SSAE 18 certifications, covers the technical and financial controls that could potentially impact the financial statements of customers within the context of their service relationship with Avature. The SOC 1 financial control mandates also assist Avature’s customers in meeting their compliance obligations under section 404 of the Sarbanes Oxley Act of 2002. The audit frequency for SOC 1 is annual.
Avature first achieved its SOC 2 certification in 2016. The scope of Avature’s SOC 2 covers the extent to which Avature’s systems and processes comply with the five trust principles of security, availability, processing integrity, confidentiality and privacy. These five principles are further divided into the common criteria domains of control environment, information and communication, risk assessment, monitoring activities, control activities, logical and physical access, system operations, change management and risk management. Like the SOC 1 certification, the audit frequency for this report is annual
The operations, policies, and controls at Avature are audited regularly to ensure that Avature meets and exceeds all requirements expected of a world-class technology service provider. Avature’s standard of excellence is supported by our commitment to maintaining our ISO, SOC 1 and SOC 2 certifications.
Registrations, Self-Assessment & Standards
Avature is a participant in the EU-U.S. and Swiss-U.S. Privacy Shield Framework. The privacy shield program requires organizations to self-certify and publicly commit to complying with Framework requirements for data protection and collection.
The International Association of Privacy Professionals is the world’s largest and most comprehensive global information privacy community resource. Avature has been a contributing member since 2016.
The Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR) Program consolidates current information regarding our control environment into an industry-standard questionnaire known as the Consensus Assessment Security Questionnaire (CAIQ). This document provides Avature customers with an in-depth view of the Avature control environment.
Avature has been an authorized G-Cloud service provider for the UK public sector since July 2018. Our services have been approved for sale and are available through the framework’s Digital Marketplace
Avature self-certifies compliance with Payment Card Industry (PCI) Data Security Standard (DSS) requirement and uses PCI Security Standards Council (SSC) Approved Vulnerability Scanning (AVS) Vendors to periodically test the Avature platform.
Avature complies with the National Institute of Standards and Technology (NIST) 800-171 standard for the protection of Controlled Unclassified Information (CUI) in nonfederal information systems and organizations, as well as the NIST Cybersecurity Framework (CSF).
Avature follows the Open Web Application Security Project (OWASP) standards for secure coding practices and has established internal systems development lifecycle controls (SDLC) to ensure compliance.
Avature has also partnered with the cloud security experts at Veracode. Working with our security and development teams, Veracode provides Avature multiple security analysis technologies and tools aimed at reducing risk across our application landscape. Security assessments include static analysis, dynamic analysis, mobile application behavioral analysis and software composition analysis.
Avature has initiated a HIPAA compliance program and completed a self-assessment, ensuring that adequate controls exist for saving, accessing and sharing individual medical and personal information.
Avature has satisfied all requirements to become fully registered on the FSQS supplier qualification system, as set out by participating buying organizations. The FSQS Registered Mark is valued by some of the largest purchasers in the financial sector and indicates that Avature has gone through the process required to demonstrate its commitment and credentials to the industry.
Industry Leaders Trust in Avature
of the world's 15
largest banks
of the 10 largest
tech companies
of the Forbes
Global 100
Built on a Foundation of Confidence and Compliance
Availability
Avature has consistently met its target data availability for the past five years.
Thin Client Access
Only a browser is needed to access the Avature platform. Avature supports all common commercial browsers, including Microsoft Edge, Firefox, Chrome and Safari, and is accessible from iOS and Android browsers. As Avature does not use Adobe Flex, Active X or Java plug-ins, there are no special configurations required for desktop use. Avature’s UI is also mobile responsive, ensuring a seamless and restriction-free mobile experience.
Backup & Recovery
To minimize the risk of data loss in the event of a primary data failure, Avature performs a complete backup of each customer’s data on both a daily (i.e., incremental/differential backup) and weekly (i.e., full dump backup) basis. Backups are encrypted and stored in two separate production environments, and restoration functions are tested periodically. Off-site storage is provided by AWS S3 and Glacier.
Disaster Recovery
As Avature instances come in pairs, each customer instance has a replica hosted in an alternative data center. Near real-time wide-area replication keeps the replica in sync, and provides an alternative instance for slow query shunting and report generation. In the unlikely event of a data center failure, users are directed to the replica (which becomes the primary production instance), and a new replica is created. This application-level fail-safe simplifies the disaster recovery process and ensures that both Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) can be met.
Physical Security & Hosting
We offer hosting on the Avature Private Cloud or on the Amazon Web Services (AWS) public cloud. In either case, customers can choose the region for the data centers that house and process their data.
Cloud Hosting: Public & Private
Avature’s private cloud is operated out of carrier neutral colocation data centers in the United States, Europe and Asia.
Our providers include Equinix, Telehouse, Digital Reality and Internap. All our data centers are Tier 3+ rated data centers, which means they are N+1 redundant and are major peering points for the Internet. These are highly secure facilities. In addition to SOC 2 audit reporting and ISO 27001/2 certification, all facilities have perimeter fencing, biometric access controls, video surveillance and security staff on site. In these data centers, Avature not only operates its own hardware and networks, but contracts with multiple IP Tier 1 (i.e., backbone) and Tier 2 (i.e., metro) carriers for low global and regional latency.
For customers preferring a branded public cloud, Avature hosts globally on Amazon Web Services (AWS). With the exception of mainland China, Avature customers are free to select the geographic zones of AWS that will house both their primary and secondary instances. For those customers tasked with meeting the U.S. government compliance requirements (i.e., FedRAMP, CJIS, ITAR, EAR, DOD, etc.), we also host on AWS GovCloud.
Data Center Locations:
- New York and New Jersey, United States
- Amsterdam, The Netherlands
- Frankfurt, Germany
- Moscow, Russia
- Shanghai, China
Network Security
Avature gateways are protected by application firewalls configured to defend against Denial-of-Service (DOS) attacks. We run intrusion-detection software to identify any abnormal traffic patterns, as well as perform weekly automated network vulnerability scans of our outer perimeter across the entirety of our IP range. We have an enabled hot patch process, and are manned 24/7. A biannual penetration test is performed by a PCI certified third-party company for our applications, and includes our network as well.
Accessibility
Understanding the importance of providing the best experience we can for all users, Avature’s web accessibility program is designed to deliver an inclusive, broad and unified user experience. Avature provides solutions that are compliant with the Web Content Accessibility Guidelines (specifically the WCAG 2.0, Level AA), thereby allowing our customers to use commonly available assistive technologies to access and use our portal framework and the solutions built upon it. Not only do we continuously evaluate accessibility, but the Avature design studio helps our customers design accessible careersites and landing pages (e.g., advising on color patterns), and supports them by providing testing and accessibility audits. While we engineer our portals to be accessible to all users, we do advise our customers to seek guidance from legal counsel on matters of accessibility, as we cannot ensure individual configuration choices are compliant under the regulatory obligations of each customer’s respective legal jurisdiction.
Application Security
Low Risk Design
Avature’s state-of-the-art SaaS single tenant software model gives each customer their own completely separate logical instance of the application. As we do not pool customer data, and there is no universal access point, we do not run the risk of mixing the data of one customer with another. With a shared common code base for hundreds of customers, we easily identify defects before most customers report them. Our high frequency micro-release software development lifecycle (HF-SDLC) allows us to make updates promptly without having to resort to hotfixes. This ensures that fixes are not only made faster, but with less risk. Additionally, whether transiting from your browser to our server, or at rest in production environments, your data is always protected through strong or full disk encryption.
Role-Based Access Control
Security access at Avature is role-based, and supports both single sign-on (SAML) and multi-factor authentication (MFA). As access is logged in real-time, system admins are authorized to both observe and manually terminate active user sessions should the need arise. As there are no predefined roles in Avature, permission schemes allow customers to define and assign users to specific groups, roles and privileges, ensuring data access and processing control can be finely segmented across the entirety of a customer’s user population. Additional security features such as IP whitelisting, hardware-based certificate authentication and field specific encryption for sensitive data (i.e., SSNs) provide customers with an industry-leading application security experience.
Journaling
Avature’s in-application journal logs user activities within the application, including user login history, successful and failed login attempts (with both remote IP and timestamp) and data changes in records, workflow configuration changes and security settings configuration changes.
Built-in Security Testing
Each Avature release is subjected to over 10,000 tests, including tests against the top 10 OWASP threats, as well as a complete set of performance benchmark tests.
Periodic Third-Party Testing
A Payment Card Industry (PCI) certified third-party security company performs a biannual penetration test for our application, mobile app and network. Our customers are welcome to request access to those results at any time.
Customer Testing
At Avature we allow our customers to perform their own application vulnerability tests against a copy of their configured instance in a quarantined environment. The data is obfuscated and our customers can contract third-party testing companies to perform the work. It is typical for our customers to conduct multiple tests each quarter.
Operational Security & Compliance
Zero-Trust Principle
Confidentiality, data privacy and compliance form the backbone of our operational security framework. As such, everyone at Avature participates in a formal security program founded on the “zero trust” principle. Prior to the start of employment – and as a condition of employment – all employees undergo a comprehensive background check centered on education, personal references, previous employers and any current/prior criminal records in accordance with local law. All employees and consultants are required to sign a confidentiality agreement, as well as participate in Avature’s ongoing security/compliance training. In adherence with “least privilege” best practices, we also apply role-based access permissions to segregate employee duties and limit access to sensitive data.
Compliance Support
We help our customers adapt to increasingly stringent compliance, regulatory and legal requirements around the world with our high configurability and flexibility. Compliance requirements might range from General Data Protection Regulation (GDPR) in Europe, to equal opportunity employment and Office of Federal Contract Compliance Programs (OFCCP) in the United States, to country-specific laws such as Australia’s Privacy Act of 1988 or those regulating data in Russia. Our solutions allow for accurate and automatic collection and storage of compliance-related data, including search criteria and results. Customers can prompt consent before any profile is created, send reminders to stakeholders before information is erased, process records differently based on date or country and anonymously retain or delete select types of information. Our comprehensive set of options for duplicate management also helps to ensure that all individual profiles are uniformly processed. Please see related content, below, for further information about working with GDPR or OFCCP requirements.
Avature has consistently met its target data availability for the past five years.
Thin Client Access
Only a browser is needed to access the Avature platform. Avature supports all common commercial browsers, including Microsoft Edge, Firefox, Chrome and Safari, and is accessible from iOS and Android browsers. As Avature does not use Adobe Flex, Active X or Java plug-ins, there are no special configurations required for desktop use. Avature’s UI is also mobile responsive, ensuring a seamless and restriction-free mobile experience.
Backup & Recovery
To minimize the risk of data loss in the event of a primary data failure, Avature performs a complete backup of each customer’s data on both a daily (i.e., incremental/differential backup) and weekly (i.e., full dump backup) basis. Backups are encrypted and stored in two separate production environments, and restoration functions are tested periodically. Off-site storage is provided by AWS S3 and Glacier.
Disaster Recovery
As Avature instances come in pairs, each customer instance has a replica hosted in an alternative data center. Near real-time wide-area replication keeps the replica in sync, and provides an alternative instance for slow query shunting and report generation. In the unlikely event of a data center failure, users are directed to the replica (which becomes the primary production instance), and a new replica is created. This application-level fail-safe simplifies the disaster recovery process and ensures that both Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) can be met.
We offer hosting on the Avature Private Cloud or on the Amazon Web Services (AWS) public cloud. In either case, customers can choose the region for the data centers that house and process their data.
Cloud Hosting: Public & Private
Avature’s private cloud is operated out of carrier neutral colocation data centers in the United States, Europe and Asia.
Our providers include Equinix, Telehouse, Digital Reality and Internap. All our data centers are Tier 3+ rated data centers, which means they are N+1 redundant and are major peering points for the Internet. These are highly secure facilities. In addition to SOC 2 audit reporting and ISO 27001/2 certification, all facilities have perimeter fencing, biometric access controls, video surveillance and security staff on site. In these data centers, Avature not only operates its own hardware and networks, but contracts with multiple IP Tier 1 (i.e., backbone) and Tier 2 (i.e., metro) carriers for low global and regional latency.
For customers preferring a branded public cloud, Avature hosts globally on Amazon Web Services (AWS). With the exception of mainland China, Avature customers are free to select the geographic zones of AWS that will house both their primary and secondary instances. For those customers tasked with meeting the U.S. government compliance requirements (i.e., FedRAMP, CJIS, ITAR, EAR, DOD, etc.), we also host on AWS GovCloud.
Data Center Locations:
- New York and New Jersey, United States
- Amsterdam, The Netherlands
- Frankfurt, Germany
- Moscow, Russia
- Shanghai, China
Network Security
Avature gateways are protected by application firewalls configured to defend against Denial-of-Service (DOS) attacks. We run intrusion-detection software to identify any abnormal traffic patterns, as well as perform weekly automated network vulnerability scans of our outer perimeter across the entirety of our IP range. We have an enabled hot patch process, and are manned 24/7. A biannual penetration test is performed by a PCI certified third-party company for our applications, and includes our network as well.
Understanding the importance of providing the best experience we can for all users, Avature’s web accessibility program is designed to deliver an inclusive, broad and unified user experience. Avature provides solutions that are compliant with the Web Content Accessibility Guidelines (specifically the WCAG 2.0, Level AA), thereby allowing our customers to use commonly available assistive technologies to access and use our portal framework and the solutions built upon it. Not only do we continuously evaluate accessibility, but the Avature design studio helps our customers design accessible careersites and landing pages (e.g., advising on color patterns), and supports them by providing testing and accessibility audits. While we engineer our portals to be accessible to all users, we do advise our customers to seek guidance from legal counsel on matters of accessibility, as we cannot ensure individual configuration choices are compliant under the regulatory obligations of each customer’s respective legal jurisdiction.
Low Risk Design
Avature’s state-of-the-art SaaS single tenant software model gives each customer their own completely separate logical instance of the application. As we do not pool customer data, and there is no universal access point, we do not run the risk of mixing the data of one customer with another. With a shared common code base for hundreds of customers, we easily identify defects before most customers report them. Our high frequency micro-release software development lifecycle (HF-SDLC) allows us to make updates promptly without having to resort to hotfixes. This ensures that fixes are not only made faster, but with less risk. Additionally, whether transiting from your browser to our server, or at rest in production environments, your data is always protected through strong or full disk encryption.
Role-Based Access Control
Security access at Avature is role-based, and supports both single sign-on (SAML) and multi-factor authentication (MFA). As access is logged in real-time, system admins are authorized to both observe and manually terminate active user sessions should the need arise. As there are no predefined roles in Avature, permission schemes allow customers to define and assign users to specific groups, roles and privileges, ensuring data access and processing control can be finely segmented across the entirety of a customer’s user population. Additional security features such as IP whitelisting, hardware-based certificate authentication and field specific encryption for sensitive data (i.e., SSNs) provide customers with an industry-leading application security experience.
Journaling
Avature’s in-application journal logs user activities within the application, including user login history, successful and failed login attempts (with both remote IP and timestamp) and data changes in records, workflow configuration changes and security settings configuration changes.
Built-in Security Testing
Each Avature release is subjected to over 10,000 tests, including tests against the top 10 OWASP threats, as well as a complete set of performance benchmark tests.
Periodic Third-Party Testing
A Payment Card Industry (PCI) certified third-party security company performs a biannual penetration test for our application, mobile app and network. Our customers are welcome to request access to those results at any time.
Customer Testing
At Avature we allow our customers to perform their own application vulnerability tests against a copy of their configured instance in a quarantined environment. The data is obfuscated and our customers can contract third-party testing companies to perform the work. It is typical for our customers to conduct multiple tests each quarter.
Zero-Trust Principle
Confidentiality, data privacy and compliance form the backbone of our operational security framework. As such, everyone at Avature participates in a formal security program founded on the “zero trust” principle. Prior to the start of employment – and as a condition of employment – all employees undergo a comprehensive background check centered on education, personal references, previous employers and any current/prior criminal records in accordance with local law. All employees and consultants are required to sign a confidentiality agreement, as well as participate in Avature’s ongoing security/compliance training. In adherence with “least privilege” best practices, we also apply role-based access permissions to segregate employee duties and limit access to sensitive data.
Compliance Support
We help our customers adapt to increasingly stringent compliance, regulatory and legal requirements around the world with our high configurability and flexibility. Compliance requirements might range from General Data Protection Regulation (GDPR) in Europe, to equal opportunity employment and Office of Federal Contract Compliance Programs (OFCCP) in the United States, to country-specific laws such as Australia’s Privacy Act of 1988 or those regulating data in Russia. Our solutions allow for accurate and automatic collection and storage of compliance-related data, including search criteria and results. Customers can prompt consent before any profile is created, send reminders to stakeholders before information is erased, process records differently based on date or country and anonymously retain or delete select types of information. Our comprehensive set of options for duplicate management also helps to ensure that all individual profiles are uniformly processed. Please see related content, below, for further information about working with GDPR or OFCCP requirements.
