Subservice Organizations

Effective Date: 2026-06-01

ADAVICO uses carefully selected third-party service providers to help deliver, secure, monitor, support, and improve the ADAVICO Service. These providers may include cloud infrastructure providers, security and traffic protection services, communication tools, collaboration platforms, software development systems, business operations platforms, and other operational services.

ADAVICO remains responsible for protecting customer data entrusted to us, including when third-party providers are used to support the ADAVICO Service.

Definitions

A subservice relationship exists when the services provided by a vendor are relevant to the ADAVICO Service and the vendor's controls are necessary, in combination with ADAVICO's controls, to provide reasonable assurance that service commitments and system requirements are achieved.

  • Subprocessors: Third parties engaged by ADAVICO that have, or may have, access to or the ability to process customer Service Data.
  • Subcontractors: Third parties engaged by ADAVICO that do not have access to or the ability to process customer Service Data, but that support ADAVICO's services or business operations.
  • Service Data: Customer data submitted to, processed by, stored in, or generated through the ADAVICO Service.
  • Corporate Data: Operational, administrative, support, billing, or communication data used to run ADAVICO's business operations.

Vendor Management Program

Before engaging a third-party provider that may affect customer data or the ADAVICO Service, ADAVICO performs a risk-based review. This review may include consideration of:

  • Security certifications and attestations, such as SOC 1, SOC 2, ISO 27001, PCI DSS, or similar control frameworks;
  • Data protection, privacy, confidentiality, and access control practices;
  • Physical and logical security controls;
  • Business continuity and disaster recovery capabilities;
  • Regulatory, contractual, and confidentiality obligations;
  • Service reliability, operational maturity, and support practices; and
  • The nature, volume, sensitivity, and location of any customer data involved.

Vendors are periodically re-evaluated based on risk, service criticality, changes in service scope, and changes to the vendor's security posture.

Contractual Safeguards

Where appropriate based on risk and service scope, ADAVICO requires subprocessors to maintain contractual obligations designed to protect customer data, including:

  • Restricting access to Service Data to what is necessary to provide contracted services;
  • Prohibiting use of Service Data for purposes other than supporting ADAVICO and the ADAVICO Service;
  • Maintaining confidentiality obligations for personnel with access to Service Data;
  • Implementing appropriate technical, administrative, and organizational safeguards;
  • Maintaining security controls appropriate to the risk and sensitivity of the data processed;
  • Promptly notifying ADAVICO of actual or suspected security incidents that may affect Service Data;
  • Supporting reasonable investigation, remediation, and customer response activities; and
  • Securely disposing of Service Data when it is no longer required, subject to legal, contractual, operational, and backup retention obligations.

Current Subprocessors and Subservice Organizations

The following table identifies providers ADAVICO may use to deliver, secure, monitor, support, or operate the ADAVICO Service. Specific providers used may vary depending on customer environment, implementation history, hosting location, and operational need.

Provider Purpose Customer Data Stored Country Security Assurance
Akamai / Linode Cloud infrastructure, compute, storage, backups, and object storage Yes United States SOC 2 / ISO 27001-aligned cloud controls
Cloudflare DNS, security, traffic protection, DDoS mitigation, CDN, and related edge services Limited traffic metadata and security logs United States SOC 2 / ISO 27001-aligned security controls
Microsoft 365 / Teams Corporate email, collaboration, identity, productivity services, meetings, and internal communications Limited operational, support, and business data United States SOC 2 / ISO 27001
GitHub Source code management, software development workflow, issue tracking, and deployment metadata Source code, deployment metadata, and development artifacts; no production customer database data United States SOC 2 / ISO 27001-aligned SDLC controls
Slack Internal operational communications, support coordination, and security alerts Limited operational, support, and security metadata United States SOC 2 / ISO 27001-aligned collaboration controls
Zoom Customer meetings, implementation calls, support sessions, and internal meetings Limited meeting and support data United States SOC 2 / ISO 27001-aligned communications controls
Financial Cents Business operations, financial workflow management, task tracking, and client service coordination Limited operational, workflow, and client service data United States Vendor security review and contractual safeguards

Shared Responsibility Model

Security responsibilities are shared among ADAVICO, its infrastructure providers, and customers.

ADAVICO Responsibilities

  • Application security;
  • User authentication controls;
  • Role-based access controls;
  • Administrative and privileged access management;
  • Vulnerability management and patch coordination;
  • Secure software development practices;
  • Backup management and restoration testing;
  • Incident response and customer communication;
  • Monitoring and alerting; and
  • Vendor oversight.

Infrastructure and Platform Provider Responsibilities

  • Cloud infrastructure security;
  • Physical data center security for provider-operated facilities;
  • Facility operations, environmental controls, power, and cooling;
  • Core network infrastructure;
  • Hardware lifecycle management;
  • Platform-level availability and resilience controls; and
  • Provider-level security controls for contracted services.

Customer Responsibilities

  • User provisioning and deprovisioning;
  • Appropriate role assignment;
  • MFA enforcement where configurable;
  • Internal data classification;
  • Internal access review and policy compliance;
  • Review of data entered, uploaded, or maintained in the ADAVICO Service; and
  • FERPA, GLBA, and institutional governance decisions.

Third-Party Data Handling

ADAVICO does not intentionally share customer Service Data with third-party providers except as necessary to deliver, secure, support, or operate the ADAVICO Service.

Where third-party providers process, transmit, host, store, or otherwise handle customer data as part of providing their services, access is limited to the minimum functionality necessary for those services. ADAVICO selects providers based on security, privacy, operational, and contractual requirements and requires appropriate safeguards designed to protect customer data.

ADAVICO does not permit third-party providers to use customer Service Data for advertising, marketing, profiling, resale, data mining, or any purpose unrelated to providing services to ADAVICO.

Except where required by law, customer data is not disclosed to third parties outside of the services necessary to operate, secure, support, and maintain the ADAVICO Service.

Data Residency

Unless otherwise agreed, customer data is hosted within the United States. Customers with specific geographic hosting requirements should contact ADAVICO before implementation.

Security Incident Notification

If a subprocessor experiences a security event that materially impacts customer data entrusted to ADAVICO, ADAVICO will follow its Incident Response Program and notify affected customers without unreasonable delay following confirmation and assessment of impact.

For confirmed incidents that materially affect customer data, ADAVICO will notify affected customers within 72 hours of confirmation whenever practical and legally permissible.

Subservice Changes

As ADAVICO's business, infrastructure, and service offerings evolve, the subprocessors and subservice organizations we use may change. ADAVICO updates this page to reflect material changes to its subprocessor and subservice organization list.

Questions

Security and vendor management questions may be directed to security@adavico.com.