Product security is of paramount importance at Ava. Ava uses a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security oriented software defects are able to be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window.
Ava performs continuous integration. In this way we are able to respond rapidly to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. This philosophy is central to our development methodology. In this way, Ava is able to achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike.
The Ava production infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for Ava production servers, which includes buildings, locks or keys used on doors, are managed by these CSP’s. “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.”1
Ava leverages internal services that require transport level security for network access and individually authenticate users by way of a central identity provider and leveraging two factor authentication wherever possible.
All Ava personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. Security training materials are developed for individual roles to ensure employees are equipped to handle the specific security oriented challenges of their roles.
End users may log in to Ava using an Identity Provider, leveraging Ava's support for the Security Assertion Markup Language (SAML) or via the “Sign-in with Google”, “Sign-in with Facebook” or “Sign-in with Apple” OpenID service. These services will authenticate an individual’s identity and may provide the option to share certain p ersonally identifying information with Ava, such as your name and email address to pre-populate our sign up form. Ava's SAML support allows organizations to control authentication to Ava and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.
All requests to the Ava's API must be authenticated. Requests that write data require at least reporting access as well as an API key. Requests that read data require full user access as well as an application key. These keys act as bearer tokens allowing access to Ava service functionality.
Data submitted to the Ava service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Ava production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between Ava and Ava users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Ava application is inaccessible.