Arreva Cloud Based Products Security and Infrastructure Summary
Arreva Cloud Based Products are hosted by Amazon Web Services (AWS) in Virginia, Ohio and Sydney Australia. Amazon is a SOC complaint corporation. Please refer to the attached AWS-SOC2 Report. All our client’s data is stored in real time in AWS and is encrypted at rest and in motion. Our applications and database traffic are encrypted from end to end as well. You will notice the lock symbol in your browser for not only the applications, but for all reports as well. We do not allow any traffic to or from our servers to connect without encryption and the servers only accept data from specific IP addresses which are our application servers and monitoring servers.
All of our servers, application and database, are contained within a Virtual Private Cloud (VPC) which adds an extra layer of production around routing and firewalls.
The database files themselves are stored on an encrypted volume so the entire database is encrypted in transit and at rest. If the data was ever stolen, it would be worthless without the encryption keys. In addition, we encrypt the user password field as an extra safety layer. We utilize 256-bit encryption throughout the system and the keys are only accessible by utilizing Multi-Factor Authentication (MFA). We highly encourage all of our clients and users to use MFA as well.
Client data is never accessed without permission from the client. We also have restricted who can have access and utilize several layers of security to access any data including encryption keys, locked IP addresses and Multi-Factor Authentication. The only employees that have access to the database are the CTO, COO and Support Manager. Users grant Arreva access via a standard use login and all activity is logged. If a database change is required, the client must grant permission.
Our system allows end-users to enforce security policies to highly restrict access to numerous pieces of data as well and enforce strict password expiration rules. Complex passwords are required. Clients may also add MFA for each user utilizing Google Authenticator or Authy. Our system also enforces unique user logins and our logs track every transaction in a detailed Transaction Log.
Our logs, servers and security are monitored 24x7 by a team of database and security consultants from an independent worldwide leader in database administration and security company. The security company has been monitoring our production servers for many years and alerts our team to any suspicious activity. The team utilizes industry leading security software and hardware to monitor system performance and security including all database traffic looking for any patterns that are not ‘normal’ traffic.
In addition, our products do not store or save credit card numbers. We utilize secure tokens which are exchanged with payment processors via secure API’s. Our products only store the last 4 digits, the card type and expiration date for transaction reference.
Or servers are backed up real time utilizing logs and images. Encrypted database images are taken daily and stored encrypted within the VPC. The back-up images are kept for a rolling 12-month period in an encrypted vault.
It is highly suggested that our end users exercise proper security protocols including not sharing login information, keeping passwords secure, properly configuring user roles, utilizing secure network connections, using MFA and changing passwords on a regular basis. In the SAAS world, the most common breach of security is a compromise from an end user whose password is shared or stolen.
Security is our top priority and we are continuity evaluating our products, security reports, industry best practices and recommendations and implementing solutions to keep our systems secure.
This template controls the elements:
FOOTER: Footer Title, Footer Descriptions
CUSTOM MENU: Images and columns into header main menu submenu items
* This message is only visible in administrative mode