Security You Can Rely On

Whether you’re considering moving your Avanti services to the cloud, in the process of migrating, or already there, you can be confident that Avanti is prioritizing your security – 24 hours a day, seven days a week.

People ManagementConfetti

Your Privacy & Data is Our Priority

As a SaaS provider, Avanti Software takes your security seriously. This dedication is reflected in everything we do – from our people and processes to our data centres and product security. As an Avanti client, you can rely on us to protect your data and operational security at every step. To give you peace of mind regarding Avanti security measures, we’ve compiled an in-depth look at our practices.

Organizational Security

We have strict security policies and procedures in place that encompass the security, availability, processing, integrity, and confidentiality of customer data.

Employee Background Checks
Each employee undergoes a process of background verification. We hire reputable external agencies to perform this check on our behalf to verify any criminal records. This check is always performed prior to an employee joining Avanti, regardless of whether their role requires them to directly handle client information.

Security Awareness
All Avanti employees sign a Confidentiality Agreement and receive training on Security Awareness Foundations, Phishing Foundations, Common Threats and Social Engineering Red Flags. We back this up with additional role-specific training and education where appropriate.

We also operate an ongoing security awareness and testing program (e.g., test Phishing scam emails periodically). We maintain a dashboard to track our company risk profile over time, and the risk metrics are reviewed by senior management.

Dedicated to your Security & Privacy
A core responsibility of our SaaS Operations team is to implement and manage our security and privacy programs. They engineer and maintain our defence systems, develop review processes for security, and provide domain-specific consulting services and guidance to our engineering teams.

Avanti employs technologies that actively scan our networks for any suspicious activity. We actively work to implement further automated detection and remediation technologies throughout our entire SaaS ecosystem.

Internal Audit & Compliance
In conjunction with our clients, Avanti takes commercially appropriate steps to always ensure compliance with applicable Privacy laws, including the collection, use and disclosure of personal information relating to the services.

Endpoint Security
All workstations issued to Avanti employees run up-to-date OS versions and are configured with best-in-class antivirus and endpoint security software. They are configured to comply with our security standards, which require all workstations to be properly configured, patched, and be tracked and monitored by Avanti’s device management platform. All workstations are required to have their local storage encrypted, and this is enforced through our device management platform.

Threat Response
In addition to our in-house security team, Avanti engages a third-party team of 24/7 threat hunters and response experts to proactively hunt for and validate potential threats and incidents, initiate actions to remotely disrupt, contain, and neutralize threats, and provide Avanti with guidance for addressing the root cause of any recurring incidents.

Physical Security

Workplace
We control access to our resources (buildings, infrastructure and facilities) with the help of access cards. We maintain access logs to identify and address any anomalies. Access to areas containing server or networking infrastructure is tightly controlled and requires additional approval.

Client SaaS Environment
Avanti SaaS systems are located in state-of-the-art data centre facilities managed by Microsoft Azure. Avanti employees do not have physical access to the infrastructure.

Microsoft designs, builds, and operates its datacenters in a way that strictly controls physical access to the areas where data is stored, and has an entire division devoted to designing, building, and operating its physical facilities. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.

Infrastructure Security

Network Security
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Avanti’s production infrastructure.

We monitor firewall access with a strict, regular schedule. A small team has access to the firewalls, and changes are peer reviewed. To detect and trace any abnormal activity, we use industry-standard monitoring tools.

Encryption
All sensitive client data is encrypted both in transit and at rest.

Data stored in the SaaS platform is always encrypted using at least AES-256.

All Avanti websites, web applications and APIs support TLS 1.2. Supported cipher suites are reviewed periodically, and insecure ciphers are disabled.

Data stored on the Avanti Go mobile app is also stored securely, using industry standard encryption technology.

DDoS Prevention
We use Azure DDoS Protection to prevent DDoS attacks on our servers. This keeps our websites, desktop services, and mobile APIs available and performing.

Server Hardening
All servers, including those provisioned for development and testing activities, are hardened by disabling unused network ports, services and accounts, removing default passwords, etc.

System Redundancy and Disaster Recovery

All key components of our platform are fault tolerant. Web and Remote Desktop services are delivered using load-balanced server pools, leveraging Microsoft’s Azure cloud platform to ensure industry leading service availability and performance. We have the ability to scale our compute and storage resources on-demand to meet changing workloads, and can complete many server and application maintenance activities with zero downtime. Maintenance activities which may or will cause downtime are scheduled outside core business hours, to minimize disruption to clients' business operations.

Disaster Recovery
Avanti services are delivered from multiple Azure data centres in the Canada Central region (Greater Toronto Area).

We always maintain multiple ‘hot’ copies of client data, in addition to full backups which we retain for 90 days. Backups are taken hourly and immediately replicated offsite to minimize the scope of any data loss in the event of a worst-case disaster.

In the event of an extended outage affecting the primary region, we can deliver services from the Canada East region (Quebec City).

We test our Disaster Recovery capabilities at least semi-annually, and results of the testing activities are reviewed by senior management.

Data Privacy

Within your Organization
Access to personal information is controlled from within Avanti’s application, ensuring that privacy is maintained by your organization, to its standards.

Outside of your Organization
Avanti team members authorized by your organization are granted access to your data during the Implementation phase. These team members only maintain this access while authorized by your organization. Avanti has strong internal controls that govern access to your data. Access is reviewed quarterly to ensure compliance, and our controls are tested and verified annually by an external auditor.

Data Retention & Disposal
We hold the data in your account as long as you are an Avanti client. You remain the sole and exclusive owner of all right, title and interest in your data at all times. Supported data types may be extracted or exported at will, using the Avanti report builder or API at any time. You may also request a database backup of your data upon termination.

Once your contract with Avanti is terminated, your data will be securely purged. Data contained in backups is automatically purged at the end of the backup retention period.

Identity & Access Control

Single Sign-On (SSO)
All Avanti applications offer single sign-on (SSO) capability, enabling users to access Avanti using their corporate credentials. SSO simplifies the login process, ensures compliance, provides effective access control and reporting, and reduces the risk of password fatigue, and hence weak passwords.

When using SSO, the user directly authenticates with the authentication provider, and Avanti does not see or store their password.

Multi-Factor Authentication
Avanti user accounts can be set to be protected using Multi-Factor Authentication (MFA). MFA provides an extra layer of security by requiring both a user password plus additional verification the user must possess. This reduces the risk of unauthorized access if a user’s password is compromised.

Administrative Access
We employ strict technical access controls and internal policies to prohibit Avanti employees from inadvertently accessing user data. We adhere to the principle of least privilege, and apply role-based permissions to minimize the risk of data exposure.

Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords and two-factor authentication. Additionally, we log all the operations and audit them periodically. Access is reviewed quarterly to ensure compliance, and our controls are tested and verified annually by an external auditor.

Security Within the Application
Each client’s data is stored in a separate database. The Avanti applications can only access the databases defined in the client's environment.

Development Practices

Source Code Security Scanning
Avanti uses Github to manage its source code, including Github’s Advanced Security features which automatically scan all code for security vulnerabilities. This code scanning is enabled for all code repositories at Avanti. As well as performing static code analysis, Github Advanced Security also scans for security secrets or tokens that may have accidentally been committed to the codebase. Finally, Avanti uses Github’s Dependabot feature to automatically alert us to vulnerabilities in third party libraries and modules that the Avanti software depends upon.

Remediation Process
Potential vulnerabilities and other code security concerns in Avanti code are reviewed and logged in a ticket, and assessed by an experienced member of the Engineering team. Any issue requiring remediation is estimated and immediately prioritized into an upcoming development cycle. Third-party libraries are automatically updated to the most recent secure version, after appropriate review by the Engineering team. Code is never released to a production environment with a known vulnerability in it.

Operational Data Security & Redundancy

Logging & Monitoring
We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.

Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every Avanti service.

Malware Protection
We scan all files uploaded by users through the web applications prior to saving them in the database. Our anti-malware engine receives regular updates from external threat intelligence sources. It scans files for known malware, as well as employing sophisticated heuristic and pattern recognition techniques to detect new variants.

Mobile Applications

All traffic between the Avanti Go mobile app and the Avanti SaaS platform is encrypted over https. Access to resources is controlled using industry standard OAuth 2.0 bearer tokens.

Data is cached on device to provide a fast, reliable user experience. On both iOS and Android devices, all data is stored securely, using industry standard AES-256 encryption. Additionally, where the underlying operating system permits, we prevent installation on jailbroken devices. Similarly, if the app is corrupted in any way, we prevent it from running.

As an additional layer of security, the app supports being unlocked using on-device biometrics (e.g. fingerprint or face recognition) on supported devices.

Incident Management

Incident Management Process
Avanti maintains a formal Incident Management process which is reviewed and approved by senior management. This process covers a broad range of incidents, such as security incidents, service degradation or outages, and problems affecting third party service providers.

Post-incident reviews are conducted where appropriate, to ensure we are constantly identifying ways to improve. In addition to these reviews, we also conduct drills and role-play exercises to ensure team members understand our processes and know how to apply them in both common and uncommon situations.

Reporting
In the event of a security incident or unauthorized access to your data, Avanti commits to notifying you as soon as reasonably practical. We will explain the nature and impact of the incident, along with suitable actions that you may need to take. Whenever applicable, we will identify, collect, acquire, and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. We will work diligently to promptly remedy any breach of security that permitted such unauthorized access.

Vendor & Third-Party Supplier Management

We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our clients. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.

Third-Party Audits and Certifications

Avanti has been SOC 1 Type 2 certified every year since we implemented our SaaS offering in 2010. Attestation documents are available upon request.

What you can do to strengthen your Security

  • Enforce complex passwords requiring a minimum number of uppercase/lowercase letters, numbers, and special characters
  • Require multi-factor authentication wherever possible
  • Use the latest browser versions, mobile OS and updated mobile applications for the latest security features and to ensure they are patched against vulnerabilities
  • Exercise reasonable precautions while sharing data from the cloud environment
  • Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account and manage roles and privileges to your account
  • Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating Avanti or other services you trust.

Your Security and Privacy Matters to Us

If you have any further questions on this topic, please reach out to us at: success@avanti.ca.

Frequently Asked Questions

Your time is precious, let’s save you a few clicks. Here are some of our most asked questions.

How and where is our data stored?
Expand Icon

We comply with PIPEDA standards.

Our clients' Avanti Databases and all of the associated proprietary data, including all PII, is stored exclusively in Canada. Avanti uses Microsoft Azure and its associated managed data centers in Ontario, and Quebec (for disaster recovery).

Separate and apart from the Avanti Database, Avanti employs third party service providers (e.g., CRM such as Salesforce and Application Process Monitoring services) designed to enhance the services we provide clients. Metadata derived from the use of the Avanti Database (e.g., crash logs, contact information) may be transferred to and processed by a provider outside of Canada.

How is our data protected?
Expand Icon

Avanti employs a multi-layered approach to protecting your data from a security, reliability, and redundancy perspective. These layers are audited and verified as part of our annual SOC 1 Type 2 audit.

Security:
All data at rest, in transit, and backups within the Avanti SaaS Ecosystem is encrypted using AES256 protocols. Each client leverages a unique database which is secured and only accessible by them. All traffic within our network has been subjected to a penetration test.

Reliability:
We actively monitor our data ecosystem for any errors which would indicate a failure in our ability to grant you access to your data or the quality of your data. We want to ensure you have the access you need to your data and that the data you are accessing is correct.

Redundancy:
We maintain hourly transactional backups and daily full database backups combined with daily VM backups. These backups are stored in a geo-redundancy state, meaning we could restore them to a secondary data center within Canada at will. Backups are retained for 90 days. We conduct semi-annual Disaster recovery exercises in which we restore our entire data ecosystem to a secondary site. This ensures that we can commit to restoring your data promptly and that the data is backed up in a usable state.

How frequently do you conduct penetration testing? And can you outline what that testing looks like?
Expand Icon

We engage a third party security firm to conduct regular penetration tests on the following cadance;

  1. We conduct Penetration tests annually on our external facing surfaces.
  2. We conduct one-off penetration tests on components of our ecosystem that have faced significant architectural changes prior to them reaching our production environment. This includes net new services being introduced to our production ecosystem as well as existing services which have been redesigned and refactored.
What is your remediation plan for results for of pen testing? How quickly are any identified weaknesses and potential gaps remediated?
Expand Icon

Issues are identified as part of the Penetration Testing process and are then prioritized according to their criticality and impact to our ecosystem.

What is your procedure in the event of a breach?
Expand Icon

In the event of a security incident or unauthorized access to your data, Avanti commits to notifying you as soon as reasonably practical. We will explain the nature and impact of the incident, including the source of breach and an assessment of the data impacted, along with suitable actions that you may need to take, as well as our own remediation plan.

What is your service uptime SLA?
Expand Icon

We commit to 99.5% availability between Business Hours, defined as 8:00 am to 5:00 pm in your local timezone.

What is your incident response plan in case of an outage?
Expand Icon

We have a documented and management-approved incident management plan, which covers Identification & Triage, Investigation, Communication, Resolution and Review & Closedown.

We routinely run data breach and incident simulation exercises to test the efficacy of our planning.

Does the solution use role-based security for determining user privileges throughout the application?
Expand Icon

Yes, Avanti Users can have their permissions and access managed by User Class. Class A is for the Admin/Super Users (desktop and Web Access), Class B is for Managers (Web only access and some additional permissions), Class C is for Employees (Web only access). Even within a User Class, there is a high degree of flexibility in managing Access and permissions (e.g., read, write, etc.).

In the event that we terminate our contract, when and how is our data deleted / offloaded?
Expand Icon

It depends on your Client contract. Typically, we work with any departing client to best support their transition, which may result in purging data shortly after the termination date, or retaining data for a pre-determined time period (potentially including for a fee). Our intent is to support our Client’s needs while reducing the time we retain any sensitive data. For those requesting that we remove their data promptly, we will retain the data for no longer than 90 days in our backups.