Security Policy
Effective Date: April 16, 2021
ADAVICO is committed to earning, and keeping, our clients' trust. We take steps every day to implement safeguards, mitigate risks, and develop ways to improve our web applications and professional services to ensure your data is always protected.
To this end, we utilize a strong governance program, secure software development practices, and security reviews of our applications, systems, and networks.
Finally, the ADAVICO Service includes our primary web application (Production Network) and related professional services (Corporate Network). Physical, technical, and administrative controls have been implemented for both service areas in compliance with our Information Security and Risk Management Programs.
Jump to section
Compliance
ADAVICO's Information Security Management System (ISMS) policies and controls are aligned with AICPA Security Trust Services Criteria, ISO/IEC 27001, and NIST guidelines to protect the confidentiality, integrity, and availability of customer information from threats and vulnerabilities. We regularly conduct policy reviews and assessments with updated guidance and industry best practices as they evolve.
Industry-Based Compliance
PCI-DSS
ADAVICO does not store, process, or transmit cardholder data. If we accept payment cards for services, we use a third-party payment processor who certifies that it is compliant with the Payment Card Industry Data Security Standard (PCI-DSS).
Production Network
Data Center Physical Security
Facilities
ADAVICO hosts Service Data at multiple third-party data centers that are all ISO 27001, PCI DSS, SOC 1, and/or SOC 2 certified. The third-party data centers all have backup power, HVAC systems, and fire suppression equipment, among other environmental controls installed. Learn more about Compliance and Controls from Digital Realty, Zayo, Cologix, and Hurricane Electric.
On-Site Security
The third-party data centers ADAVICO uses to host Service Data have the following on-site security features: 24/7/365 security guards, perimeter fencing with badge-activated gates, CCTV with 90-day surveillance, and dual authentication with mantraps and/or other security features. Learn more about Physical Security from Digital Realty, Zayo, Cologix, and Hurricane Electric.
Data Hosting Location
The third-party data centers ADAVICO uses are in multiple locations throughout the United States, including Dallas, TX (Digital Realty), Atlanta, GA (Zayo), Newark, NJ (Cologix), and Fremont, CA (Hurricane Electric).
By request, customers can choose to locate their Service Data in Canada, Europe, or Asia Pacific.
Network Security
Dedicated Security
Data Center security teams are on call 24/7 to respond to security alerts and events. Alerts and events are researched and resolved in a timely manner.
Protection
Our Production Network is protected against compromise or attack using a combination of secure, least-privileged administrator access, physically isolated customer application and database services, limited network services to minimize attack vectors, firewall protection, and external monitoring services that alert our personnel of service disruptions or attack. Periodic user reviews are performed to validate only appropriate personnel have access based on their direct responsibilities.
In addition, all servers are hardened by disabling unnecessary ports, removing default passwords, and utilizing a base configuration image to ensure consistency across the environment.
Network Vulnerability Scanning
Data Centers are periodically scanned to ensure systems are configured correctly, patching is up-to-date, and potentially vulnerable systems are identified. Vulnerabilities are researched and resolved in a timely manner.
Third-Party Penetration Tests
In addition to our internal network and system protection measures, ADAVICO employs third-party security experts to perform annual external penetration tests across our Production Network. Test results are prioritized and remediated in a timely manner.
Security Incident Management
Administrative access, use of privileged commands, and system calls on all servers in ADAVICO's Production Network are logged and retained for at least one year. To the extent practical, analysis of logs is automated to detect potential issues and to alert responsible personnel for timely research and resolution. In the case of an alert, events are escalated to key personnel trained on security incident response processes, including communication channels and escalation paths. Depending on type and severity, affected customers will be notified regarding the impact of any actual or reasonably suspected issue. ADAVICO tests and updates incident response (IR) procedures at least annually.
Intrusion Detection and Prevention
ADAVICO logs and monitors all system calls and has alerting in place for system access attempts that indicate a potential intrusion.
DDoS Mitigation
Access to our Production Network is restricted at the perimeter to only allow network protocols essential for delivery of the ADAVICO Service. Data Centers automatically detect and mitigate distributed denial-of-service (DDoS) attacks.
Logical Access
Access to the ADAVICO Production Network is restricted with tightly controlled credentials utilizing principal of least-privilege (PLP) and role-based access control (RBAC) disciplines, is frequently monitored, and is controlled by our DevOps Team. Users are provisioned based upon authorized requests for access.
Bug Bounty Program
Data Centers have partnered with HackerOne to operate a bug bounty and disclosure program, allowing security researchers to safely find and document vulnerabilities.
Encryption
Encryption in Transit
All communications between the ADAVICO Service and our customers is encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks to ensure traffic is secure during transit.
Encryption at Rest
Service Data backups are encrypted on network-attached storage systems using AES-256 key encryption.
Availability & Continuity
Uptime
Our Production Network is actively monitored for uptime using third-party monitoring services that automatically generate system alerts when triggered. We make commercially reasonable efforts to ensure the ADAVICO Service is available 24 hours a day, 7 days a week excepting planned downtimes or significant/catastrophic events beyond our control.
Redundancy
Our Production Network is designed to provide best performance and redundancy using multiple Data Center providers and physical locations to protect the ADAVICO Service from provider or location-specific failures. In addition, our segregated online/offline backup processes allow us to easily recover and restore Service Data.
Disaster Recovery
Our Disaster Recovery (DR) Program ensures that both the ADAVICO Service and Service Data are easily recoverable in the event of a disaster. All Service Data is backed up daily on the client server at the respective Data Center. In addition, full backup copies of Service Data are downloaded daily from Data Centers to encrypted, password-protected network-attached storage systems that are significantly distant from Data Center locations and inaccessible from remote access. ADAVICO tests backups at least quarterly to ensure they can be successfully restored.
Change Management
Secure Development Lifecycle (SDL)
Secure Code Training
ADAVICO ensures its engineers are well versed in the latest software and internet-based vulnerabilities in development of the ADAVICO web application.
Framework Security Controls
ADAVICO leverages secure open-source frameworks with built-in controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to Injection, Broken Authentication, Broken Access Control, Cross-Site Scripting (XSS), and other vulnerabilities. In addition, we carefully examine every component added to our source code by utilizing strict SDL controls relating to design, development, testing, and deployment.
Quality Assurance
Our DevOps Team reviews our codebase to identify, test, and triage security vulnerabilities. In addition, we maintain a common codebase that is carefully tested and released across customer tenancies to ensure new features are carefully deployed and Service Data integrity is maintained.
Separate Environments
We have separate environments for development, testing, and production to protect Service Data and to ensure our production environment remains stable and consistent.
Vulnerability Management
Static Code Analysis
ADAVICO performs code scanning as part of application development using automated and manual scanning tools.
Application Security
Authentication Security
Password Configuration
According to best industry practices, passwords are subject to complexity requirements that are enforced when passwords are changed or created.
2-Factor Authentication (2FA)
ADAVICO offers 2-factor authentication (2FA) for users via a token authenticator application or password manager that supports the Time-based One-Time Password (TOTP) algorithm.
Service Credential Storage
ADAVICO follows secure credential storage best practices by never storing passwords in human readable format and only as the result of a one-way hash.
Additional Application Security Features
Role-Based Access Controls
Access to Service Data within the ADAVICO Service is governed by role-based access control (RBAC) consisting of user and department roles, each with their own permission level for available actions and access to data.
In addition, unless guest access is approved by ADAVICO, only users with a valid email address at the customer's domain will be able to access the customer's tenant within the ADAVICO Service.
Device Tracking
ADAVICO tracks the devices used to sign into each user account, including date and time, IP address, browser, and operating system. In addition, ADAVICO logs every time users sign in, noting the action performed so we can help identify the root cause of any service problems, data corruption, or exfiltration.
Human Resources Security
Security Awareness
Policies
ADAVICO has developed a comprehensive set of security policies as part of its Information Security Program. These policies are regularly reviewed and updated as industry best practices evolve. Policies are shared with all employees, contractors, and third-party service providers with access to Service Data or ADAVICO Information Systems.
Training
All ADAVICO employees are required to attend Security Training throughout the year as part of ADAVICO's Information Security Program, and to maintain compliance with confidentiality and security requirements. In addition, employees are also tested at least quarterly to guard against phishing attacks.
Employee Vetting
Background Checks
ADAVICO performs background checks on all new employees and requires that all contractors or third-party service providers with access to Service Data or ADAVICO Information Systems also conduct background checks on their personnel. Background checks include criminal, education, employment verification, and credit.
Confidentiality Agreements
All employees, contractors, or third-party service providers with access to Service Data or ADAVICO Information Systems are required to sign a Non-Disclosure Agreement (NDA).
Workstations
Physical Security
For all locations where Service Data is accessed or processed, ADAVICO requires secure access, locked endpoints when not in use, and a clean desk policy to ensure Service Data is not exposed in accordance with our Physical Security Policy and Procedures.
Endpoint Security
ADAVICO workstations are configured with advanced identity management with multifactor authentication, encryption, data classification/loss prevention to identify and protect Service Data, and advanced threat protection against email/phishing attacks or document-embedded malware. Workstations and mobile devices are required to be enrolled in mobile device management to ensure they meet our security standards.
Portable Media
The transfer or storage of Service Data using portable media, such as thumb drives, is prohibited. To prevent auto-execution on endpoints with USB-enabled drives, autorun is disabled and anti-virus is enabled.
Password Management
ADAVICO requires personnel to use an approved password manager to avoid password reuse, phishing, and other password-related risks.
Additional Human Resources Security Features
Accessibility
Access to Service Data is limited to employees who have a specific need to use the information in delivering the ADAVICO Service and is enforced through permission levels reviewed at least quarterly. In addition, ADAVICO has established technical and administrative security controls to prevent employees from making unauthorized copies or transmitting Service Data except as necessary in support of the ADAVICO Service.
Printed Documents
All physical Service Data is maintained in secure areas, carefully controlled, and immediately shredded using cross-cut micro shredders when no longer needed.
Disposal Procedures
Any party with access to Service Data must contractually agree to its thorough and safe disposal in accordance with our Disposal Policy and Procedures after the contract or engagement is concluded.