Trust Services Principles
Cloud Security Alliance
Information Security Management System (ISMS)
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Health Insurance Portability and Accountability Act
Avaamo is committed to complying with requirements imposed by the General Data Protection Regulation (GDPR), which took effect on 25 May 2018.
To learn more about our GDPR compliance, please read our GDPR policy.
All data transmitted between Avaamo agents and the Avaamo platform is done so using strong encryption protocols. Avaamo supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures.
Avaamo’s production data at rest is encrypted using FIPS 140-2 compliant encryption standards. This applies to all types of data at rest accessed by the production systems including relational databases, file stores, database backups, etc.
To detect and prevent unauthorized access, Avaamo employs multi-factor authentication on all systems, including the development and staging systems. Avaamo also provides customers multiple Single Sign-On (SSO) options including SAML 2.0 providers.
Avaamo engages independent security firms to conduct application-level and infrastructure-level penetration tests at least once a year. Results of these tests are triaged, prioritized, and remediated in a timely manner by senior management. Customers can request the most recent reports from their account executive.
Many Avaamo customers also run security control assessment and/or penetration testing on the Avaamo system.
New or existing customers are welcome to perform security control assessment or penetration testing on Avaamo’s system. Please contact firstname.lastname@example.org to schedule a test.
Avaamo is continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and Avaamo’s internal risk and compliance team. Audit results are shared with senior management and all findings are tracked to resolution in a timely manner.
Avaamo divides its systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Avaamo’s production systems. Sensitive customer deployments are further isolated by VPCs.
Avaamo deploys firewalls at entry points of publicly accessible systems to log, audit and detect DOS and DDOS, and prevent such attacks.
All servers within our production fleet are hardened using the CIS (Center for Internet Security) benchmarks and have a base configuration image applied to ensure consistency across the environment.
Avaamo has established policies and procedures for responding to potential security incidents. All security incidents are managed by Avaamo’s Security Incident Response Team (SIRT). Please contact email@example.com to report any security incidents.