Data Security and Privacy
This Avokaado Security Policy (ASP) establishes security conditions and terms for digital document workflow management and operations on Avokaado platform.
Avokaado operates on highly secured Hetzner servers for application hosting and Amazon Web Services S3 (AWS) servers for file storage.
Hetzner servers are located in Nuremberg, Germany or Helsinki, Finland. Hetzners servers maintain strict compliance with industry standards and certifications, including DIN ISO /IEC 27001, FOX Certification. In case Avokaado changes server service provider, it will notify the client of the new service provider due course. In any case Avokaado represents that it will use only server service providers that comply with the same or better standards and certifications as provided by Hetzner.
AWS S3 servers are located in Frankfurt, Germany.
AWS S3 is the only object storage service that allows to block public access to all of objects at the bucket or the account level with S3 Block Public Access. S3 maintains compliance programs, such as PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA, to help meet regulatory requirements. AWS also supports numerous auditing capabilities to monitor access requests to S3 resources. Read more at https://aws.amazon.com/s3/security/.
HARDWARE AND INFRASTRUCTURE SECURITY
Hetzner data centres include state-of-the-art physical and environmental access controls in highly secure environment (certified to ISO 27001) and safety features including:
- A video-monitored, high-security perimeter surrounds the entire data centre park. Entry is only possible via electronic access control terminals with a transponder key or admission card
- Fire detection and suppression, redundant electrical power systems, and uninterruptible power supply (UPS)
- Monitoring of electrical, mechanical, and life support systems and equipment
AWS S3 data centres are designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:
- SOC 1/ISAE 3402, SOC 2, SOC 3
- FISMA, DIACAP, and FedRAMP
- PCI DSS Level 1
- ISO 9001, ISO 27001, ISO 27017, ISO 27018
AWS provides customers a wide range of information on its IT control environment in whitepapers, reports, certifications, accreditations, and other third-party attestations. More information is available at https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html.
All connections to Avokaado are using TLS 1.2 transport layer security where all data is encrypted with the SHA-2 (SHA-256withRSA) encryption and passwords are encrypted with SHA-512 cryptographic hashing algorithm using also a random Salt. In addition to anti-tampering controls, an audit trail gathers every single transaction and document signing with IP addresses and user information. Servers have firewall, intrusion detection system and antivirus installed to keep files secure and virus free. Access to server is restricted to certain IP addresses and to only lead technical personnel.
The firewall used on our servers is UFW. By default connections to all ports are denied, only the ports necessary for the application to operate, are allowed to access: HTTP, HTTPS.
SSH connection to the server can only be established from certain IP addresses and only with private keys. Password access to the servers is denied to all users. Private keys and access to the server is strictly restricted to the CTO and CEO of Avokaado. Restricted access to the server is for the deployment of new codebase. This is also restricted to Avokaado’s deployment server that uses JetBrains TeamCity as a deployment automation tool. The access to TeamCity is restricted to the parties necessary.
For Intrusion Detection System Avokaado uses Snort, which runs in NIDS mode (network intrusion detection system), using afpacket module for data acquisition in inline mode. For database, data-at-rest encryption is used with AES-256-CBC encryption algorithm. In addition, the encryption keys file is encrypted with AES-256-CBC.
To keep passwords and keys secure, Avokaado uses 1Password. 1Password stores the information securely, by using AES-256 for symmetric encryption and RSA 2048 for asymmetric / public key encryption. Clamav is used to scan the files for viruses and malware. The virus signature databases are updated daily. Avokaado keeps application logs for a minimum of 6 months. On request, the retention time can be increased as necessary.
RELIABILITY AND BACKUPS
In order to provide a highly reliable service, Client can choose geo-dispersed servers; we can adjust their capabilities in real-time depending on the current load. Regular automated backups prevent any data loss. Backups of all databases (including templates, files, contacts) are done once a day.
The database backups are encrypted with AES-256-CBC. A password of random 32 characters is used.
Avokaado has received OWASP ASVS 2.0 security audit from an independent security company that conducts security audits as well as static and dynamic analysis scans. Avokaado is a security tested by Big4 company through 2019 and testing successfully closed in the beginning of 2020.
Internally, security audits are regularly performed by a security team under the supervision of the Board of the company. Each IT employee receives regular security training, and all updates and new features are scanned for security as security testing is integrated into the application development lifecycle. All accesses to the server are limited to only senior security team members from whitelisted locations.
ADVANCED CUSTOM SECURITY OPTIONS
Avokaado’s security policies and features are designed to keep documents and transactions bank-level secure. Should the client need additional security customizations to match the company’s policies, Avokaado offers additional security upgrades, including:
- Customized Password Policy
- Authentication with only ID-card, Mobile-ID or Azure AD (O365) account
- Enterprise clients’ agencies and databases are hosted on separate virtual servers
- Separate database server from application server
Avokaado does not store any credit card information on its servers. Payments are processed by a PCI Data Security Standard (PCI DSS) Level 1 provider. All subscriptions are processed by Braintree, a PayPal service. PCI Data Security Standard (PCI DSS) ensures companies that process, store or transmit credit card information maintain a secure environment. See PCI SSC Data Security Standards Overview (https://www.pcisecuritystandards.org/pci_security/) for more information.