UPDATED: NOVEMBER 15TH 2021
This Avokaado Security Policy (ASP) establishes security conditions and terms for digital document workflow management and operations on Avokaado platform.
Avokaado workloads run on Google Cloud Platform: https://cloud.google.com/security/compliance
Compliance with several regulations including:
Data stored in Google Cloud is encrypted at rest. Avokaado Solution follows CIS Google Cloud Platform Foundation Benchmark
All connections to Avokaado are using TLS 1.2 transport layer security where all data is encrypted with the SHA-2 (SHA-256withRSA) encryption and passwords are encrypted with SHA-512 cryptographic hashing algorithm using also a random Salt. In addition to anti-tampering controls, an audit trail gathers every single transaction and document signing with IP addresses and user information. Servers have firewall, intrusion detection system and antivirus installed to keep files secure and virus free. Access to the server is restricted to certain IP addresses and to only lead technical personnel. The firewall used on our servers is UFW. By default connections to all ports are denied, only the ports necessary for the application to operate are allowed to access: HTTP, HTTPS.
SSH connection to the server can only be established from certain IP addresses and only with private keys. Password access to the servers is denied to all users. Private keys and access to the server is strictly restricted to the CTO and CEO of Avokaado. Restricted access to the server is for the deployment of a new codebase. This is also restricted to Avokaado’s deployment server that uses JetBrains TeamCity as a deployment automation tool. The access to TeamCity is restricted to the parties necessary.
For Intrusion Detection System Avokaado uses Snort, which runs in NIDS mode (network intrusion detection system), using afpacket module for data acquisition in inline mode. For database, data-at-rest encryption is used with AES-256-CBC encryption algorithm. In addition, the encryption keys file is encrypted with AES-256-CBC.
To keep passwords and keys secure, Avokaado uses 1Password. 1Password stores the information securely, by using AES-256 for symmetric encryption and RSA 2048 for asymmetric / public key encryption.
Clamav is used to scan the files for viruses and malware. The virus signature databases are updated daily. Avokaado keeps application logs for a minimum of 6 months. On request, the retention time can be increased as necessary.
Avokaado’s solution is Regional and survives single zone outages (https://cloud.google.com/docs/geography-and-regions).
Solution and work processes are designed for 24h RTO and 24h RPO.
In order to provide a highly reliable service, Client can choose geo-dispersed servers; we can adjust their capabilities in real-time depending on the current load. Regular automated backups prevent any data loss. Backups of all databases (including templates, files, contacts) are done once a day. The database backups are encrypted with AES-256-CBC. A password of random 32 characters is used.
Avokaado has received OWASP ASVS 2.0 security audit from an independent security company that conducts security audits as well as static and dynamic analysis scans. Avokaado is a security tested by Big4 company through 2019 and testing successfully closed in the beginning of 2020. Internally, security audits are regularly performed by a security team under the supervision of the Board of the company. Each IT employee receives regular security training, and all updates and new features are scanned for security as security testing is integrated into the application development lifecycle. All accesses to the server are limited to only senior security team members from whitelisted locations.
Avokaado’s security policies and features are designed to keep documents and transactions bank-level secure. Should the client need additional security customizations to match the company’s policies, Avokaado offers additional security upgrades, including:
Avokaado does not store any credit card information on its servers. Payments are processed by a PCI Data Security Standard (PCI DSS) Level 1 provider. All subscriptions are processed by Braintree, a PayPal service. PCI Data Security Standard (PCI DSS) ensures companies that process, store or transmit credit card information maintain a secure environment. See PCI SSC Data Security Standards Overview (https://www.pcisecuritystandards.org/pci_security/) for more information.
The following is a description of how Avokaado processes its website visitor’s personal data (either Avokaado client or not), requesting a product demo, applying to work positions, etc.
When creating an account on Avokaado platform, you have to provide your e-mail address (preferably business e-mail) in order for Avokaado to register you as a user. You also have to agree to the Terms of Services of Avokaado platform. This data is stored for up to 3 years after deleting the account.
In order to request a free demo meeting, Avokaado needs to receive the following data from you:
Avokaado uses this data through service provider Calendly to provide you with possible dates and times for the demo meeting, to know who you are as a potential client and Avokaado to prepare for the meeting in the best possible way. This data is stored for 3 months period.
In case you find an open position in Avokaado on the website, you can apply to it directly. In order to do that, you should provide the following data to Avokaado:
Avokaado uses this data to register your application, to consider your suitability for this position and to contact you for further information. This data is stored for 1 year period according to law.
Through chatbox, you can also subscribe to your e-mail to receive newsletters and you can unsubscribe from it at any time.
Avokaado respects its user’s privacy and applies necessary data protection safeguards to prevent data breaches and to provide privacy-related rights.
Avokaado only collects the personal data necessary for the purpose of providing its services and to do it with high quality. All personal data is deleted after it is no longer necessary for client relations and services.
You can always ask questions and request your rights according to GDPR (data deletion, portability, access, rectification etc.) by contacting Avokaado at firstname.lastname@example.org.