Security Overview and Standards
Data and Network Security
Avionté utilizes 256-bit encryption technology, protecting your information using both server authentication and data encryption. This ensures that your data is safe, secure, and available only to your registered users. Data and files sent to Avionte are sent via our network that is guarded by enterprise firewalls, Intrusion Detection Systems, and Intrusion Prevention Systems. All applications communicate using industry standard secure network protocols.
Your data is safe inside our Tier III data centers and cloud providers, Azure and AWS. Our infrastructure conforms to stringent SSAE 16 Type II, PCI, HIPAA, SOX, and GLBA requirements. Physical security includes card, biometric scans and PIN access controls, as well as armed security for 24/7 protection.
User-Based Access Controls
Avionté administrators can customize each user’s access levels by easily selecting which activities and data their users have access to within the product suite, including reports. Our
role-based rights access allows our clients to tighten down security by user to ensure their confidential company data is secure from malicious internal activity.
User Password Policy Enforcement
Avionté will provide each customer’s user with a unique user name / password that must be entered each time a user logs in. For the highest level of password protection, we require passwords to be at least 8 characters long, including a mix of letters and numbers. Maximum password age is 90 days. Avionté possesses the ability to track user’s login / logout activities, what their IP address is when accessing Avionté, and IP restriction. Avionté administrators can customize each user’s access levels.
Breach Protocol Measures
This section outlines the structure of internal reporting to ensure that executives and everyone on the response team is up to date and on track during a data breach. While Avionté has NOT experienced a data breach, we believe it’s important to our customers and stakeholders that we have the proper documentation in the event one should occur. The measure below provides an overview of our internal response protocols once a breach is dedicated.
The Avionté Security Response Team is Alerted of a Potential Breach:
- Avionté will manage and coordinate the overall response efforts
- The response team will act as an intermediary between C-level executives and other team members to report progress and problems:
- Identify key tasks, manage timelines and document all response efforts from beginning to end
- Outline the resources needed to handle the breach
- Prepare and summarize the steps needed to assess the scope of a breach
- Ensure contact lists remain updated and team members remain ready to respond
- Analyze response efforts post-breach to better prepare the company and team for the next incident
- Determine whether it’s necessary to notify affected individuals, law enforcement and/or government agencies
The Security Checklist:
- Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin, i.e. when someone on the response team is alerted to the breach
- Alert and activate everyone on the response team, including external resources, to begin executing our preparedness plan
- Secure the premises around the area where the data breach occurred to help preserve evidence
- Stop additional data loss. Take affected machines offline, but do not turn them off or start probing into the computer until the forensics team arrives
- Document everything known thus far about the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, what devices are missing, etc.
- Interview those involved in discovering the breach and anyone else who may know about it
- Document investigation
- Review protocols regarding disseminating information about the breach for everyone involved in this early stage
- Assess priorities and risks based on what is known about the breach
- Bring in a forensics firm to begin an in-depth investigation (if appropriate)
- Notify law enforcement, if needed, after consulting with legal counsel and upper management
Avionté Security Response Team Notification Process to Impacted Customer(s):
- Identify and disclose to customer any potentially effected or comprised data points
- Identify and disclose to customer potential point of entry (RFB Reason for Breach)
- Work in concert with customer to change all customer(s) related Security Protocols:
- Login Credentials
- System Access or Points of Entry
- Re-Encryption of any / all data points
- Provide customer with a detailed analysis (via checklist enclosed above) regarding the changes Avionté has made
to ensure the breach is resolved
In addition to all preventative security measures and security response protocols, Avionté also maintains the necessary insurance policies. These policies include Errors & Omissions (EAO) and Cyber, Crime and Liability coverage to ensure the proper insurance measures are upheld.
IT Security & FAQ
What security measures are running on the databases?
Customer data is housed in a Tier-III Datacenter which conforms to SSAE 16 Type II, PCI, HIPAA, SOX and GLBA requirements. A security guard is present 24x7x365, the data center and perimeter are under video surveillance, access rights are restricted to essential personnel and access controls use three-token authentication: Card access + biometric eye scan + individual PIN. We use industry-standard SSL certifications and encryption for all communications.
What tier data-center are these systems stored in?
Avionté is hosted in tier-III data centers that provide true enterprise-class security, scalability and reliability, including full-time security personnel, closed-circuit video surveillance, continuous and redundant power systems with backup generators, fully redundant network systems with multiple Internet backbone access, advanced network firewalls, and
hazard avoidance alert systems.
How is my data protected and what is the backup process?
Your hosted data is backed up nightly and backups are retained for a full year. In addition, your data is replicated across multiple data centers, ensuring your data is always safe and available.
If a natural disaster occurs at my office, how do I ensure that I can keep my business running?
If a disaster strikes your office, you’ll be able to access your business-critical information from computers anywhere with Internet access, whether it be your home, a coffee shop or another office location. Whether the disaster is as small as a PC crash, or something more severe and long-lasting, Avionté cloud hosting is there to keep your business running.
Is there required maintenance on my end?
All you need on your PC is a simple client program that is already built into Windows, and freely available on many other platforms, such as Mac. We take care of everything, so you can take care of your business.
Is your product a SaaS model?
Yes. On our SaaS solution, you will always have the most recent version and can access it using any device, including smart phones, tablets, PCs, or Macs.
Is the system SOC1 and SOC2 compliant?
Our datacenter conforms to SSAE 16 Type II, PCI, HIPAA, SOX, and GLBA requirements, additional SOC compliance is driven from the customer environment.
How are my upgrades handled?
Avionté automatically applies updates. As with all modern SaaS platforms, your application is always up-to-date.
How do I print from the RDP delivered application?
We use a third-party print driver called TSPrint. The client is a free download. It allows for fast printing directly from the RDS session to your local printers.
Can we use our own SMTP server to email pay stubs?
We provide the SMTP service for you. We utilize SendGrid and all bounces are sent to you.