AVM has an experienced, dedicated security team who have established policies and controls, monitor compliance with those controls and provide this compliance evidence to external auditors.
Our security policies are based on the following foundational principles:
AVM is undergoing a SOC2 type II audit and expects to gain certification within weeks.We are also completing the final stages of GDPR and HIPAA compliance. Our SOC 2 Type II report will be available on request.
All data storage assets including customer data, in addition to and including S3 buckets, are encrypted at rest. Granular access permissions to these storage assets have been defined following the principle of least privilege.
AVM uses TLS 1.2 or higher to ensure data is secured in transit over the internet and within internal networks. TLS keys and certificates are provisioned for use across AVM infrastructure and follow security best practices.
Encryption keys are managed and automated via a key management system which is designed to prevent direct interactive access by individuals including employees. Separate encryption keys are allocated for different purposes and use cases and specific minimal permissions are allocated to those processes that need access to those keys (usually temporarily).
AVM schedules an extensive external penetration test at least annually. This pen test is comprehensive in scope and includes AVM managed infrastructure and an independent code review.
AVM employs various techniques to detect vulnerabilities at different stages of the product life cycle. Code is scanned to detect vulnerabilities and other issues. Manual code reviews are performed. Any anomalous activity within AVM’s development and production network and customer environments is monitored and reported on and other detective controls are in place across the organization. AVM schedules frequent security reviews, table top exercises, and policy and other document reviews to ensure its security posture is optimized and up to date.
All corporate devices use specialized software to monitor secure configuration of endpoints, such as disk encryption, screen lock configuration, and password managers. Anti-virus software is deployed to all employee workstations.
AVM has a vendor management program in place that places emphasis on security reviews for external third party vendors.
AVM provides comprehensive security training to all employees upon onboarding and annually through educational modules within our compliance partner’s own platform. AVMs’s security team monitors the threat landscape and shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.All employees are required to review and accept security policies which address a wide variety of security aspects.
AVM uses a centralized identity provider to allow single sign-on to secure our identity and access management. The principle of least privilege is followed for all resources and employees ensuring that the minimum permissions required to perform a particular role are assigned. Using a centralized identity management platform means that offboarding employees is straightforward and efficient.
There is a formal access request process for any changes or new access request according to the policies set for each application.
At AVM, data privacy is job zero —we strive to be trustworthy stewards of all sensitive data. View our privacy policy
.svg)