Avature Cloud Security

Some SaaS providers charge exorbitant costs to recover customer data or have a data recovery process that takes multiple weeks. We demonstrate our commitment to making your data expeditiously available by using a Service Level Agreement (SLA). We also apply the open/closed and extensibility principles in our agile approach to software development, so our solutions evolve lockstep with your needs.

Highly Scalable

Across countries and industry changes, we have the flexibility and configurability to keep growing with you. We offer over 100 standard integrations—contact us for the full list or take a look at some of the more common ones on our Partners page. As a leading provider of HCM software, every Avature instance can be accessed from anywhere in the world at any time through the internet, or restricted geographically or even by office location to meet your chosen security constraints.

Thin Client

Avature supports all common commercial browsers, including IE, Firefox, Chrome, and Safari, and is accessible from Blackberry, iOS and Android. Avature does not use Adobe Flex, Active X or Java plug-ins, so there are no special configurations required for desktop. Avature is also mobile responsive, so there are no limitations when accessing from mobile devices.

Data Backup

Avature performs a complete backup of each customer’s data through a daily incremental/differential backup and a weekly full dump backup. Backups are stored in two separate production environments and restoration functions are tested periodically.

Disaster Recovery

Each Avature instance has a replicated instance running in another Avature data center with the same security measures, providing high uptime and multi-site redundancy. In the unlikely event of a data incident, Avature provides RPOs and RTOs in its SLAs, so you know how fast you can expect to be back to full performance.

We help our customers adapt to increasingly stringent compliance, regulatory and legal requirements around the world with our high configurability and flexibility. Compliance requirements might range from GDPR in Europe, to equal opportunity employment and OFCCP in the United States, to country-specific laws such as Australia’s Privacy Act of 1988 or those regulating data in Russia. Our solutions allow for accurate and automatic collection and storage of compliance-related data, including search criteria and results. You can prompt consent before any profile is created, send reminders to stakeholders before information is erased, process records differently based on date or country, and anonymously retain or delete select types of information. Our options for duplicate management also help to ensure that all profiles of an individual are processed the same. Please see related content, below, for further information about working with GDPR or OFCCP requirements.

Please note that Avature does not collect personal data for resale, sell personal data it has collected or sell access to personal data. You can read complete details of our data privacy policy here.

While we design our portals to be accessible, we advise our customers to seek guidance from their legal counsel, as we cannot ensure configuration choices are compliant with your regulatory obligations.

We offer worldwide, controlled access hosting on our private cloud or on any Amazon Web Services (AWS) public cloud. Our applications are single tenant, so each customer selects their operating zone for the data centers that house both their primary and secondary instances of the application. We have offered these services for over 10 years, and include AWS Gov Cloud (AWS FedRAMP) among the options we are currently prepared to offer.

Avature’s Private Cloud

Avature’s private cloud model is based on NIST 800 and prevailing industry best practices. Our security architecture and proprietary SaaS tools are developed by the Avature IT and Architecture Framework Team. Our private cloud is managed by Avature’s security engineers, without third-party involvement, while being physically located in neutral co-location data centers.

Co-location Data Centers

In our private cloud, customers can choose to have their data stored in the United States, Europe or Asia. Avature hosts in Tier 3+ data centers, which means they achieve among the highest ranking in availability and security procedures. All systems are N+1 redundant and all have SOC Type 2 audit report or ISO 27001/2 certification. In addition, because Avature uses hardware encryption and our cages are locked and monitored, no data-center providers are able to access customer data.

Data Center Geographical Locations:

• New York & New Jersey, United States
• Amsterdam, The Netherlands
• Frankfurt, Germany
• Moscow, Russia
• Shanghai, China

Separate Databases, Combined Defense

We separate data processing for different customers and their different purposes. Avature’s state-of-the-art SaaS model gives each customer their own completely separate logical instance of the application for access over the Internet.

We do not pool our data, so there is no one place where all customer information is accessible. Yet by sharing a common code base for hundreds of customers, Avature identifies problems before most customers report them. This significantly reduces the cycle time for fixes and makes it possible for Avature to deliver outstanding service to all our customers.

Mitigating Risk Through Constant Updates

We minimize risks by employing a biweekly rapid release cycle. Our uniquely configurable system enables our customers’ bespoke configurations to upgrade seamlessly alongside new releases. Each release is subjected to over 4000 tests, including checks to certify speed and tests against the top 10 OWASP threats.

A Payment Card Industry (PCI) certified third-party security company also performs a biannual penetration test and audit for our application, mobile app and network. Our customers are welcome to access those results at any time. Customers frequently exercise their right to perform pentests and audits, with one or more typically being performed by a customer at any given time.

Network Security

Avature gateways are protected by application firewalls configured to protect against Denial-of-Service (DOS) attacks. Avature runs intrusion-detection software to detect any abnormal traffic patterns and performs weekly automated network vulnerability scans of our outer perimeter across our entire IP range. We have an enabled hot patch process and are manned 24/7. The biannual pentest and audit performed by a PCI certified third-party company for our applications includes our network as well.

Zero-Trust Principle

Confidentiality, data privacy and compliance are important to all of us. Everyone at Avature participates in a formal security program, including training, background checks and use of physical security measures. We apply the zero trust principle and monitor and segment access by our own people. Avature runs the security zone where customer data is located as a separate network that is only accessible to a specially authorized segment of our employees.

Access Control

Access to your data is secure at every stage. Data moves from your browser to our servers using strong encryption and is also secured when at rest in our production environments. Access to our software is user-specific and supported by single sign-on, including two-factor authentication and biometric. Access is logged in real time and available to User Admins, who are able to manually terminate user sessions from the report. Customers can also choose additional security options such as IP whitelisting and hardware-specific certificates for authentication.