Bank-level security

At Avvoka we know that the data included in, and related to, your contracts is extremely important to you and your counterparties. The team at Avvoka work continuously to protect the privacy, security and integrity of your account and data. The security of your information is required for our success as a business and we take steps every day to ensure that it remains safe.

Here, we describe our processes for maintaining security throughout Avvoka.

Physical location security

We ensure that the machines within the Avvoka network are protected at all times. Avvoka is hosted on servers that are owned and operated by VPS Matrix that reside within the UK. VPS Matrix provides a highly scalable cloud computing platform with end-to-end security and privacy features as standard.

Access to our data centres in the UK is strictly controlled and monitored using a variety of physical controls, intrusion detection systems, environmental security measures, 24 x 7 on-site security staff, biometric scanning, multi-factor authentications, video surveillance and other electronic means. All physical and electronic access to data centres by VPS Matrix employees is authorised strictly on a least privileged basis and is logged and audited routinely.

Avvoka employees do not have physical access to our servers. Electronic access to servers and services is restricted to a core set of approved Avvoka staff only.

Penetration testing

We undergo yearly third party application penetration testing by CHECK and CREST accredited security consultants. Our latest pentest report is available by request.

Data security

Passwords

All passwords are filtered from our logs and are one-way encrypted in the database using the BCrypt algorithm.

Avvoka staff cannot view your password. If you forget your password, you must go through the reset procedure for your account to be accessible again.

Data redundancy and backups

We ensure that all practice data is replicated and regularly backed up. All backups are encrypted using AES-256 with random daily encryption keys.

Application, systems and software security

Your connection to Avvoka (including API access) is secure and encrypted using HTTPS. This is the same level of encryption used by leading banks and government agencies. Your documents are also stored and encrypted at rest using AES – 256 bit encryption. Each one is encrypted with a unique initialisation vector. As an additional safeguard, each key is encrypted with a regularly rotated master key. This means that even if someone were able to bypass the physical security (see below) and access a hard drive, they still wouldn’t be able to decrypt your data.

We adhere to industry best practices to prevent gaps in the security policy of the application and the underlying systems and to prevent common web attack vectors.

Avvoka also maintains a robust application audit log to include security events such as user log in and data changes.

We ensure that our software and its dependencies are up to date eliminating any potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.

Two factor authentication

On-location security is provided beyond passwords alone by the use of 2-factor authentication (2FA) which can be enabled within the settings of Avvoka for all of your staff. 2FA provides an extra layer of security on top of passwords by the requirement of a unique code generated at the time of each and every login. Please note 2FA security is only made available to enterprise users of Avvoka.

Employee access and security

We regard your data stored within Avvoka as private and confidential to your business and counterparties.

Our production environment is completely isolated from the other environments — including development and testing.

Avvoka employees are granted access to systems and data based on their role in the company or on an as-needed basis.

Access to your contract data by Avvoka employees is only used to assist with support, to resolve customer issues and as outlined in the terms of service agreement with you. When working on a support issue we do our best to respect your privacy as much as possible and only access the minimum data needed to resolve your issue.

Maintaining security

Avvoka adheres to industry best practices for design and development. We thoroughly test new features in order to rule out potential attacks such as CSRF, XSS, SQLI and many more.

We continuously improve our security policies as the threat landscape changes. Our engineering team continuously monitors ongoing security, performance and availability. We subscribe to all relevant security bulletins so that we can promptly address any security issues in the software we use.

Privacy and data protection

All services employed in the supply of Avvoka meet the UK Information Commissioner’s Office (ICO) requirements for EU data protection.

Availability

Avvoka provides a high level of availability due to our robust infrastructure. We are very transparent with availability and all incidents are reported and detailed via email reports.

Need to report a security vulnerability?

If you believe you have found a security vulnerability in Avvoka we encourage you to make this known to us right away. We will investigate all legitimate reports and will address the issue immediately. Responsible submission of security vulnerabilities can be made to security@avvoka.com by following the guide below.

Reporting

Share the details of any suspected vulnerabilities with Avvoka’s Security Team by contacting us at security@avvoka.com

Please do not publicly disclose these details without express written consent from Avvoka. In reporting any suspected vulnerabilities, please include the following information:

  • Date the vulnerability was observed
  • Description of the vulnerability
  • Instructions to duplicate the vulnerability (this can be written steps, a video, or a set of screen captures detailing the proof of concept)
  • Your name and company (if applicable)
  • Your preferred contact information (email, phone, anonymous)
  • Your PGP to allow for encrypted communication (if available)

PGP key details

We encourage finders to use encrypted communication channels to protect the confidentiality of vulnerability reports. Our PGP public key is available at the following link: Avvoka Public PGP Key