Security at Add Value Machine
AVM has an experienced, dedicated security team who have established policies and controls, monitor compliance with those controls and provide this compliance evidence to external auditors.
Our security policies are based on the following foundational principles:
- Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
- Security controls should be implemented and layered according to the principle of defense-in-depth.
- Security controls should be applied consistently across all areas of the enterprise.
- The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Compliance at AVMAVM is undergoing a SOC2 type II audit and expects to gain certification within weeks.
We are also completing the final stages of GDPR and HIPAA compliance. Our SOC 2 Type II report will be available on request.
Data at restAll data storage assets including customer data, in addition to and including S3 buckets, are encrypted at rest. Granular access permissions to these storage assets have been defined following the principle of least privilege.
Data in transitAVM uses TLS 1.2 or higher to ensure data is secured in transit over the internet and within internal networks. TLS keys and certificates are provisioned for use across AVM infrastructure and follow security best practices.
Encryption keys are managed and automated via a key management system which is designed to prevent direct interactive access by individuals including employees. Separate encryption keys are allocated for different purposes and use cases and specific minimal permissions are allocated to those processes that need access to those keys (usually temporarily).
Penetration testingAVM schedules an extensive external penetration test at least annually. This pen test is comprehensive in scope and includes AVM managed infrastructure and an independent code review.
AVM employs various techniques to detect vulnerabilities at different stages of the product life cycle. Code is scanned to detect vulnerabilities and other issues. Manual code reviews are performed. Any anomalous activity within AVM’s development and production network and customer environments is monitored and reported on and other detective controls are in place across the organization.
AVM schedules frequent security reviews, table top exercises, and policy and other document reviews to ensure its security posture is optimized and up to date.
Endpoint protectionAll corporate devices use specialized software to monitor secure configuration of endpoints, such as disk encryption, screen lock configuration, and password managers. Anti-virus software is deployed to all employee workstations.
Vendor SecurityAVM has a vendor management program in place that places emphasis on security reviews for external third party vendors.
Security educationAVM provides comprehensive security training to all employees upon onboarding and annually through educational modules within our compliance partner’s own platform.
AVMs’s security team monitors the threat landscape and shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
All employees are required to review and accept security policies which address a wide variety of security aspects.
Identity and access management
AVM uses a centralized identity provider to allow single sign-on to secure our identity and access management. The principle of least privilege is followed for all resources and employees ensuring that the minimum permissions required to perform a particular role are assigned. Using a centralized identity management platform means that offboarding employees is straightforward and efficient.
There is a formal access request process for any changes or new access request according to the policies set for each application.