Data Security

DATA SECURITY

 

1.      Infrastructure & Data Center

Software is hosted with one of the biggest data center providers in Switzerland, Infomaniak (IFM), located in Geneva (CH). Access to these data centers is strictly controlled and monitored by 24/7 on-site security staff and video surveillance. IFM maintains multiple certifications for its data centers, including ISO 27001 and PCI DSS. IFM was granted ISO 27001 certification in June 2018. This standard specifies the requirements for setting up an information security management system (ISMS). It ensures security measures are identified and constantly improved to protect data from loss, theft and alteration, and information systems from intrusion and damage. Please visit the IFM website for more information about their certification and compliance.

Software runs on a cloud-based PaaS environment with a logically separated database and dedicated file storage for each enterprise client. All services that make up the Software system are highly available. We use a combination of clustering, load-balancing, and replication to ensure no single system failure point. The PaaS environment is replicated on two physically different data centers and benefits from an automatic backup located in a third separated data center. PaaS meets the highest security standards.

Infomaniak uses infrastructure belonging to Arbor Networks, a world leader in network security. All our services benefit from unlimited protection against DDoS attacks.

2.      Patching Policy

All of AVE’s servers run with the latest security patches from their operating system vendors. Security Patches are applied at regular intervals. Critical patches are applied as soon as they are available.

3.      Encryption

Encryption In Transit

Software leverages Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit over untrusted networks. Software supports full encryption in transit. No non-encrypted data leaves our datacenter. All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet.

Encryption At Rest

Software encrypts Customer Data at-rest using AES 256-bit (or better) encryption.

4.      User Access

For access purposes, we use dedicated roles and access for database administrators, general administrators, and support staff. In addition, we follow the principle of least privilege. All our employees are technically forced to use 2-factor-authentication whenever possible as well as our password policy for all internal and external tools.

5.      Backup

As a SaaS provider, we run a nightly backup of files, databases, configuration, and servers.

6.      Incidents Handling & Reporting

AVE has an application incident management and reporting process, enabling unified security monitoring and protection for our cloud environment. If AVE becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, AVE shall notify the Customer without undue delay, and in any case, where feasible, notify Customers within 72 hours after becoming aware.

7.      Development

AVE maintains separate testing, development, and production environments to ensure that the highest code quality is met. This includes code reviews and peer programming conducted by experienced developers with a strong focus on security and stability. In addition, we run automated tests and code builds are in place. By using a hosted code platform, we are able to reach a high level of traceability and automatically monitor our third-party dependencies for security vulnerabilities.

8.      Data Sovereignty

AVE enterprise customers have the data hosted in Geneva (CH). Further regions may be available if requested; ask your sales representative if you have a need to be hosted in a specific region for data sovereignty or legal purposes.

9.      Contact

9.1 Vulnerabilities

If you’ve found a security issue that you believe we should know about, please don’t hesitate to contact our security team at support@rocscor.com.

9.2 Further Information

If you’d like to get more details into our Security Controls let our Security Team know at support@rocscor.com.