Security Policy

ADAVICO maintains an Information Security Management System covering production systems, application security, employee access, vendor management, incident response, backup and recovery, and customer data protection.

ADAVICO regularly conducts policy reviews and internal assessments using updated guidance and industry best practices as they evolve.

ADAVICO is currently engaged in a formal SOC 2 readiness and control maturation process, with its first SOC 2 examination targeted for completion by December 31, 2026. Following completion, ADAVICO intends to maintain annual SOC 2 examinations and reporting.

Until a SOC 2 report is available, ADAVICO may support reasonable customer security reviews, audit discussions, and control walkthroughs under appropriate confidentiality terms.

FERPA and GLBA Support

ADAVICO supports customer FERPA and GLBA obligations by providing access controls, audit logging, encryption, authentication controls, data separation, backup controls, and secure disposal practices.

Customers remain responsible for their own institutional compliance decisions, user provisioning, data classification, internal data handling practices, and regulatory determinations.

PCI-DSS

ADAVICO does not store, process, or transmit cardholder data. If we accept payment cards for services, we use a third-party payment processor that maintains PCI-DSS compliance.

Customers retain ownership of their data. ADAVICO processes customer data only to provide, secure, maintain, support, and improve the ADAVICO Service, or as otherwise authorized by the customer.

Facilities

ADAVICO hosts Service Data at third-party data centers and infrastructure providers that maintain recognized security and compliance programs, including SOC, ISO 27001, PCI DSS, and similar control frameworks where applicable. These providers maintain environmental controls such as backup power, HVAC, fire suppression, physical access restrictions, and facility monitoring.

On-Site Security

The third-party data centers ADAVICO uses include physical security controls such as restricted access, monitored facilities, security personnel, CCTV, access logging, and other facility protections designed to prevent unauthorized physical access.

Data Hosting Location

Unless otherwise agreed, customer data is hosted within the United States. Customers with specific geographic hosting requirements should contact ADAVICO before implementation.

Dedicated Security

Production systems are monitored for availability, security events, and operational issues. Alerts are reviewed and escalated to appropriate personnel for research and resolution.

Protection

The Production Network is protected using a combination of least-privileged administrative access, separated customer application and database services, limited network exposure, firewall protection, system hardening, and external monitoring services.

Customer data is not commingled. Each customer environment is separated through dedicated or logically isolated application and database services. Access to customer environments is restricted using least privilege, role-based access control, administrative approval, and quarterly access reviews.

System Hardening

Production servers are hardened by disabling unnecessary services, removing default passwords, limiting open ports, applying secure configuration baselines, and maintaining controlled administrative access.

Vulnerability Scanning

ADAVICO performs vulnerability management across infrastructure and application systems. Infrastructure and application vulnerability scans are performed regularly and whenever significant changes are introduced into the environment. Vulnerabilities are prioritized based on severity, exploitability, exposure, and customer impact.

Patch Management

Security updates are applied based on risk and severity.

• Critical vulnerabilities: target remediation within 72 hours
• High vulnerabilities: target remediation within 14 days
• Medium vulnerabilities: target remediation within 30 days
• Low vulnerabilities: addressed during normal maintenance cycles

Independent Security Assessments and Penetration Testing

ADAVICO uses independent third-party security experts to perform periodic security assessments and external penetration testing across its Production Network. Findings are reviewed, prioritized, tracked, and remediated based on severity and risk.

Security Incident Management

ADAVICO maintains an incident response process covering detection, triage, escalation, containment, investigation, remediation, and customer communication.

ADAVICO reviews and tests incident response procedures at least annually. Customers will be notified without unreasonable delay following confirmation of a security incident that materially affects the confidentiality, integrity, or availability of their data. For confirmed incidents that materially affect customer data, ADAVICO will notify affected customers within 72 hours of confirmation whenever practical and legally permissible.

ADAVICO will coordinate with affected customers during investigation and remediation, including reasonable support for audit, insurance, and regulatory review needs.

Logging and Monitoring

ADAVICO logs administrative access, privileged activity, authentication events, system activity, and security-relevant application events. Logs are retained for at least one year unless a longer period is required by contract or law.

ADAVICO utilizes centralized logging, monitoring, alerting, event correlation, and Security Information and Event Management (SIEM) capabilities to identify suspicious activity, service disruptions, unauthorized access attempts, operational anomalies, and potential security events.

These security events are retained and used to support threat detection, investigation, compliance, auditability, and incident response activities. Relevant logs may be made available to customers during security investigations where appropriate and legally permissible.

Intrusion Detection and Prevention

ADAVICO monitors system activity and access attempts for indicators of unauthorized access, misuse, or potential intrusion.

DDoS Mitigation

Access to the Production Network is restricted at the perimeter to allow only network protocols essential for delivery of the ADAVICO Service. Infrastructure providers may provide distributed denial-of-service mitigation and traffic protection services.

Logical Access

Access to the ADAVICO Production Network is restricted using tightly controlled credentials, least privilege, role-based access control, administrative approval, and quarterly access review.

Administrative and privileged access rights are reviewed at least quarterly.

Uptime

The Production Network is actively monitored for uptime using monitoring services that generate alerts when triggered. ADAVICO makes commercially reasonable efforts to ensure the ADAVICO Service is available 24 hours a day, 7 days a week, except for planned maintenance or significant events beyond ADAVICO's control.

<

Redundancy

The Production Network is designed to provide resilience through infrastructure redundancy, backup processes, and recovery procedures to reduce the risk of service disruption caused by hardware, facility, or regional events.

Disaster Recovery

Customer data is backed up daily. Backup restoration is tested at least quarterly. ADAVICO maintains disaster recovery procedures designed to restore service following infrastructure, provider, or regional failure.

Recovery Objectives

ADAVICO targets a Recovery Point Objective (RPO) of 24 hours or less unless otherwise specified by contract.

ADAVICO targets a commercially reasonable Recovery Time Objective (RTO) based on the severity, scope, and affected environment.

Encryption in Transit

All communications between the ADAVICO Service and customers are encrypted using industry-standard HTTPS/TLS over public networks.

Encryption at Rest

ADAVICO encrypts customer data at rest. Production servers, storage volumes, object storage, and backups are encrypted at rest.

Key and Secret Management

Encryption keys, application secrets, and service credentials are restricted to authorized personnel and managed through controlled access, separation of duties, and periodic review.

ADAVICO classifies information based on sensitivity and business impact. Access controls, retention requirements, and handling procedures are applied according to the classification of the information being processed.

Customer data is retained only as long as necessary to fulfill contractual, operational, legal, and regulatory obligations, and according to customer instructions where applicable.

Upon termination, ADAVICO will return, delete, or securely dispose of customer data according to contract requirements and applicable law. Secure deletion may be subject to backup retention cycles.

ADAVICO uses third-party infrastructure and service providers to deliver, secure, monitor, support, and improve the ADAVICO Service. ADAVICO evaluates vendors based on security posture, access to customer data, contractual obligations, and operational necessity.

Subprocessors are required to protect customer data through appropriate confidentiality, security, and disposal obligations. Additional information is available in ADAVICO's Subservice Policy.

ADAVICO Responsibilities

ADAVICO is responsible for application security, user authentication controls, access management, vulnerability management, secure software development, backup management, incident response, monitoring and alerting, employee security controls, and vendor oversight.

Infrastructure and Platform Provider Responsibilities

Infrastructure and platform providers are responsible for cloud infrastructure security, physical data center security for provider-operated facilities, facility operations, environmental controls, power and cooling, core network infrastructure, hardware lifecycle management, platform-level availability and resilience controls, and provider-level security controls for contracted services.

Customer Responsibilities

Customers are responsible for user provisioning and deprovisioning, appropriate role assignment, MFA enforcement where configurable, data classification, internal policy compliance, and FERPA, GLBA, and institutional governance decisions.

Secure Code Training

ADAVICO ensures its engineers are trained in secure software development practices and common web application vulnerabilities.

Framework Security Controls

ADAVICO leverages secure open-source frameworks with built-in controls to limit exposure to OWASP Top 10 security risks, including injection, broken authentication, broken access control, cross-site scripting, and other vulnerabilities.

Quality Assurance

ADAVICO reviews, tests, and triages code changes before release. ADAVICO maintains a common codebase that is carefully tested and released across customer environments to protect service stability and customer data integrity.

Separate Environments

ADAVICO maintains separate environments for development, testing, and production to protect customer data and ensure production systems remain stable and controlled.

Static Code Analysis

ADAVICO performs code scanning as part of application development using automated and manual review processes.

Dependency Review

ADAVICO reviews third-party software dependencies and framework updates for known vulnerabilities and applies updates based on severity and operational risk.

Change Control

Production changes are reviewed, tested, approved, and deployed through controlled release processes. Emergency changes are reviewed and documented after implementation where immediate action is required to protect service availability or security.

Password Configuration

Passwords are subject to complexity requirements that are enforced when passwords are changed or created.

Multi-Factor Authentication

ADAVICO supports multi-factor authentication for customer users through token authenticator applications or password managers that support the Time-based One-Time Password algorithm.

ADAVICO requires multi-factor authentication for administrative and privileged internal access. Customers are strongly encouraged to require MFA for their users.

Service Credential Storage

ADAVICO follows secure credential storage best practices by never storing passwords in human-readable format. Passwords are stored only as the result of a one-way cryptographic hash.

Role-Based Access Controls

Access to Service Data within the ADAVICO Service is governed by role-based access control consisting of user and department roles, each with its own permission level for available actions and access to data.

Unless guest access is approved by ADAVICO, only users with a valid email address at the customer's domain may access the customer's tenant within the ADAVICO Service.

Device Tracking

ADAVICO tracks the devices used to sign into each user account, including date and time, IP address, browser, and operating system. ADAVICO also logs user sign-in activity to support troubleshooting, security monitoring, and investigation of potential data corruption or exfiltration.

Tenant Separation

Customer environments are separated through dedicated or logically isolated application and database services. ADAVICO restricts access to customer environments through least privilege, administrative approval, and quarterly access reviews.

Policies

ADAVICO maintains security policies as part of its Information Security Program. Policies are reviewed and updated as industry best practices evolve. Policies are shared with employees, contractors, and third-party service providers with access to Service Data or ADAVICO Information Systems.

Training

ADAVICO employees are required to complete security training as part of ADAVICO's Information Security Program and to maintain compliance with confidentiality and security requirements. Employees may also be tested to guard against phishing and social engineering attacks.

Background Checks

ADAVICO performs background checks on employees and requires contractors or third-party service providers with access to Service Data or ADAVICO Information Systems to conduct appropriate personnel screening where applicable.

Confidentiality Agreements

Employees, contractors, and third-party service providers with access to Service Data or ADAVICO Information Systems are required to maintain confidentiality obligations.

Physical Security

For locations where Service Data is accessed or processed, ADAVICO requires secure access, locked endpoints when not in use, and appropriate safeguards to prevent unauthorized exposure of Service Data.

Endpoint Security

ADAVICO workstations are configured with security controls designed to protect Service Data, including identity management, multifactor authentication where applicable, encryption, malware protection, and endpoint management.

Portable Media

The transfer or storage of Service Data using portable media, such as thumb drives, is prohibited unless specifically authorized for a documented business purpose and protected using appropriate controls.

Password Management

ADAVICO requires personnel to use approved password management practices to reduce password reuse, phishing, and other credential-related risks.

Access to Service Data

Access to Service Data is limited to personnel who have a specific need to use the information in delivering the ADAVICO Service. Access is enforced through permission levels and reviewed at least quarterly.

Printed Documents

Physical Service Data, where used, is maintained in secure areas, carefully controlled, and securely destroyed when no longer needed.

Disposal Procedures

Parties with access to Service Data must follow secure disposal practices after the contract, engagement, or business need has ended.

Security Contact

Security questions may be directed to security@adavico.com.