Data Security and Privacy
UPDATED: AUGUST 2ND 2021
This Avokaado Security Policy (ASP) establishes security conditions and terms for digital document workflow management and operations on Avokaado platform.
Avokaado workloads run on Google Cloud Platform: https://cloud.google.com/security/compliance
Compliance with several regulations including:
- ISO27001 – https://cloud.google.com/security/compliance/iso-27001
- SOC-2 – https://cloud.google.com/security/compliance/soc-2
- GDPR – https://cloud.google.com/security/gdpr
- HIPAA – https://cloud.google.com/security/compliance/hipaa-compliance
Data stored in Google Cloud is encrypted at rest (https://cloud.google.com/security/encryption/defaultencryption).
Avokaado Solution follows CIS Google Cloud Platform Foundation Benchmark
All connections to Avokaado are using TLS 1.2 transport layer security where all data is encrypted with the SHA-2 (SHA-256withRSA) encryption and passwords are encrypted with SHA-512 cryptographic hashing algorithm using also a random Salt. In addition to anti-tampering controls, an audit trail gathers every single transaction and document signing with IP addresses and user information. Servers have firewall, intrusion detection system and antivirus installed to keep files secure and virus free. Access to the server is restricted to certain IP addresses and to only lead technical personnel. The firewall used on our servers is UFW. By default connections to all ports are denied, only the ports necessary for the application to operate are allowed to access: HTTP, HTTPS.
SSH connection to the server can only be established from certain IP addresses and only with private keys. Password access to the servers is denied to all users. Private keys and access to the server is strictly restricted to the CTO and CEO of Avokaado. Restricted access to the server is for the deployment of a new codebase. This is also restricted to Avokaado’s deployment server that uses JetBrains TeamCity as a deployment automation tool. The access to TeamCity is restricted to the parties necessary.
For Intrusion Detection System Avokaado uses Snort, which runs in NIDS mode (network intrusion detection system), using afpacket module for data acquisition in inline mode. For database, data-at-rest encryption is used with AES-256-CBC encryption algorithm. In addition, the encryption keys file is encrypted with AES-256-CBC.
To keep passwords and keys secure, Avokaado uses 1Password. 1Password stores the information securely, by using AES-256 for symmetric encryption and RSA 2048 for asymmetric / public key encryption.
Clamav is used to scan the files for viruses and malware. The virus signature databases are updated daily. Avokaado keeps application logs for a minimum of 6 months. On request, the retention time can be increased as necessary.
RELIABILITY AND BACKUPS
Avokaado’s solution is Regional and survives single zone outages (https://cloud.google.com/docs/geography-and-regions).
Solution and work processes are designed for 24h RTO and 24h RPO.
In order to provide a highly reliable service, Client can choose geo-dispersed servers; we can adjust their capabilities in real-time depending on the current load. Regular automated backups prevent any data loss. Backups of all databases (including templates, files, contacts) are done once a day. The database backups are encrypted with AES-256-CBC. A password of random 32 characters is used.
Avokaado has received OWASP ASVS 2.0 security audit from an independent security company that conducts security audits as well as static and dynamic analysis scans. Avokaado is a security tested by Big4 company through 2019 and testing successfully closed in the beginning of 2020. Internally, security audits are regularly performed by a security team under the supervision of the Board of the company. Each IT employee receives regular security training, and all updates and new features are scanned for security as security testing is integrated into the application development lifecycle. All accesses to the server are limited to only senior security team members from whitelisted locations.
ADVANCED CUSTOM SECURITY OPTIONS
Avokaado’s security policies and features are designed to keep documents and transactions bank-level secure. Should the client need additional security customizations to match the company’s policies, Avokaado offers additional security upgrades, including:
- Customized Password Policy;
- Authentication with only ID-card, Mobile-ID or Azure AD (O365) account;
- Enterprise clients’ agencies and databases are hosted on separate virtual servers;
- Separate database server from application server
Avokaado does not store any credit card information on its servers. Payments are processed by a PCI Data Security Standard (PCI DSS) Level 1 provider. All subscriptions are processed by Braintree, a PayPal service. PCI Data Security Standard (PCI DSS) ensures companies that process, store or transmit credit card information maintain a secure environment. See PCI SSC Data Security Standards Overview (https://www.pcisecuritystandards.org/pci_security/) for more information.