Security You Can Rely On

Workplace
We control access to our resources (buildings, infrastructure and facilities) with the help of access cards. We maintain access logs to identify and address any anomalies. Access to areas containing server or networking infrastructure is tightly controlled and requires additional approval.
‍
Client SaaS Environment
Avanti SaaS systems are located in state-of-the-art data centre facilities managed by Microsoft Azure. Avanti employees do not have physical access to the infrastructure.
‍
Microsoft designs, builds, and operates its datacenters in a way that strictly controls physical access to the areas where data is stored, and has an entire division devoted to designing, building, and operating its physical facilities. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.
‍

Network Security
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Avanti’s production infrastructure.

We monitor firewall access with a strict, regular schedule. A small team has access to the firewalls, and changes are peer reviewed. To detect and trace any abnormal activity, we use industry-standard monitoring tools.

Encryption
All sensitive client data is encrypted both in transit and at rest.

Data stored in the SaaS platform is always encrypted using at least AES-256.

All Avanti websites, web applications and APIs support TLS 1.2. Supported cipher suites are reviewed periodically, and insecure ciphers are disabled.

Data stored on the Avanti Go mobile app is also stored securely, using industry standard encryption technology.

DDoS Prevention
We use Azure DDoS Protection to prevent DDoS attacks on our servers. This keeps our websites, desktop services, and mobile APIs available and performing.

Server Hardening
All servers, including those provisioned for development and testing activities, are hardened by disabling unused network ports, services and accounts, removing default passwords, etc.
‍

All key components of our platform are fault tolerant. Web and Remote Desktop services are delivered using load-balanced server pools, leveraging Microsoft’s Azure cloud platform to ensure industry leading service availability and performance. We have the ability to scale our compute and storage resources on-demand to meet changing workloads, and can complete many server and application maintenance activities with zero downtime. Maintenance activities which may or will cause downtime are scheduled outside core business hours, to minimize disruption to clients' business operations.
‍
Disaster Recovery
Avanti services are delivered from multiple Azure data centres in the Canada Central region (Greater Toronto Area).
‍
We always maintain multiple ‘hot’ copies of client data, in addition to full backups which we retain for 90 days. Backups are taken hourly and immediately replicated offsite to minimize the scope of any data loss in the event of a worst-case disaster.
‍
In the event of an extended outage affecting the primary region, we can deliver services from the Canada East region (Quebec City).
‍
We test our Disaster Recovery capabilities at least semi-annually, and results of the testing activities are reviewed by senior management.
‍

Within your Organization
Access to personal information is controlled from within Avanti’s application, ensuring that privacy is maintained by your organization, to its standards.
‍
Outside of your Organization
Avanti team members authorized by your organization are granted access to your data during the Implementation phase. These team members only maintain this access while authorized by your organization. Avanti has strong internal controls that govern access to your data. Access is reviewed quarterly to ensure compliance, and our controls are tested and verified annually by an external auditor.
‍
Data Retention & Disposal
We hold the data in your account as long as you are an Avanti client. You remain the sole and exclusive owner of all right, title and interest in your data at all times. Supported data types may be extracted or exported at will, using the Avanti report builder or API at any time. You may also request a database backup of your data upon termination.
‍
Once your contract with Avanti is terminated, your data will be securely purged. Data contained in backups is automatically purged at the end of the backup retention period.
‍

Single Sign-On (SSO)
All Avanti applications offer single sign-on (SSO) capability, enabling users to access Avanti using their corporate credentials. SSO simplifies the login process, ensures compliance, provides effective access control and reporting, and reduces the risk of password fatigue, and hence weak passwords.

When using SSO, the user directly authenticates with the authentication provider, and Avanti does not see or store their password.

Multi-Factor Authentication
Avanti user accounts can be set to be protected using Multi-Factor Authentication (MFA). MFA provides an extra layer of security by requiring both a user password plus additional verification the user must possess. This reduces the risk of unauthorized access if a user’s password is compromised.

Administrative Access
We employ strict technical access controls and internal policies to prohibit Avanti employees from inadvertently accessing user data. We adhere to the principle of least privilege, and apply role-based permissions to minimize the risk of data exposure.

Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords and two-factor authentication. Additionally, we log all the operations and audit them periodically. Access is reviewed quarterly to ensure compliance, and our controls are tested and verified annually by an external auditor.

Security Within the Application
Each client’s data is stored in a separate database. The Avanti applications can only access the databases defined in the client's environment.
‍

Source Code Security Scanning
Avanti uses Github to manage its source code, including Github’s Advanced Security features which automatically scan all code for security vulnerabilities. This code scanning is enabled for all code repositories at Avanti. As well as performing static code analysis, Github Advanced Security also scans for security secrets or tokens that may have accidentally been committed to the codebase. Finally, Avanti uses Github’s Dependabot feature to automatically alert us to vulnerabilities in third party libraries and modules that the Avanti software depends upon.

Remediation Process
Potential vulnerabilities and other code security concerns in Avanti code are reviewed and logged in a ticket, and assessed by an experienced member of the Engineering team. Any issue requiring remediation is estimated and immediately prioritized into an upcoming development cycle. Third-party libraries are automatically updated to the most recent secure version, after appropriate review by the Engineering team. Code is never released to a production environment with a known vulnerability in it.
‍

Logging & Monitoring
We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.

Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every Avanti service.

Malware Protection
We scan all files uploaded by users through the web applications prior to saving them in the database. Our anti-malware engine receives regular updates from external threat intelligence sources. It scans files for known malware, as well as employing sophisticated heuristic and pattern recognition techniques to detect new variants.
‍

All traffic between the Avanti Go mobile app and the Avanti SaaS platform is encrypted over https. Access to resources is controlled using industry standard OAuth 2.0 bearer tokens.

Data is cached on device to provide a fast, reliable user experience. On both iOS and Android devices, all data is stored securely, using industry standard AES-256 encryption. Additionally, where the underlying operating system permits, we prevent installation on jailbroken devices. Similarly, if the app is corrupted in any way, we prevent it from running.

As an additional layer of security, the app supports being unlocked using on-device biometrics (e.g. fingerprint or face recognition) on supported devices.
‍

Incident Management Process
Avanti maintains a formal Incident Management process which is reviewed and approved by senior management. This process covers a broad range of incidents, such as security incidents, service degradation or outages, and problems affecting third party service providers.

Post-incident reviews are conducted where appropriate, to ensure we are constantly identifying ways to improve. In addition to these reviews, we also conduct drills and role-play exercises to ensure team members understand our processes and know how to apply them in both common and uncommon situations.

Reporting
In the event of a security incident or unauthorized access to your data, Avanti commits to notifying you as soon as reasonably practical. We will explain the nature and impact of the incident, along with suitable actions that you may need to take. Whenever applicable, we will identify, collect, acquire, and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. We will work diligently to promptly remedy any breach of security that permitted such unauthorized access.
‍

We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our clients. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.
‍

Avanti has been SOC 1 Type 2 certified every year since we implemented our SaaS offering in 2010. Attestation documents are available upon request.
‍

If you have any further questions on this topic, please reach out to us at: success@avanti.ca.