Your data stays protected with Avvoka’s enterprise-grade security, encryption, admin controls, compliance certifications, and privacy by design.
“Avvoka delivers measurable business value at scale.”
Greg Snow
CLS Holdings
ISO27001 certified
• Continuously certified since October 2017
• Subject to annual external audits
• ISMS policy available below.
Physical location security
• Servers located in our clients’ core business regions (UK, Europe, US and Australia)
• AWS, OVH and Azure datacentres
• Physical access by Avvoka staff is restricted.
Data replication & backup
• All production databases are subject to real-time replication
• Hot-standby arrangement for failovers
• Backups encrypted using AES-256.
Passwords
• Minimum strength rules adhered to
• Passwords filtered from logs and one-way encrypted using BCrypt
• Password rotation rules can be defined.
2FA and SSO
• 2FA can be enforced company-wide
• SSO-only enforcement rules available
• Automatic SSO user revocation for leavers.
Availability and design
• High availability and transparent reporting
• Adherence to secure development principles
• Pipeline continuously tested for attacks such as CSRF, XSS, SQLI and many more.
Applications, systems and software
Your connection to Avvoka (including API access) is secure and encrypted using HTTPS. This is the same level of encryption used by leading banks and government agencies. Your documents are also stored and encrypted at rest using AES – 256 bit encryption. Each one is encrypted with a unique initialisation vector. As an additional safeguard, each key is encrypted with a regularly rotated master key.
Annual penetration testing
Each year, the application is subject to black-box penetration testing. Only CREST-approved providers are appointed. Copies of our latest scorecard are made available to clients on request.
Reporting a vulnerability
Share the details of any suspected vulnerabilities with Avvoka’s Security Team by contacting us at security@avvoka.com
Please do not publicly disclose these details without express written consent from Avvoka. In reporting any suspected vulnerabilities, please include the following information:
Date the vulnerability was observed
Description of the vulnerability
Instructions to duplicate the vulnerability (this can be written steps, a video, or a set of screen captures detailing the proof of concept)
Your name and company (if applicable)
Your preferred contact information (email, phone, anonymous)
Your PGP to allow for encrypted communication (if available).