We protect your data with enterprise-grade security
Advarra’s Quality and Information Security Management System focuses on ensuring our operations and products remain secure through the implementation of industry best practices and ongoing monitoring activities.
Our security strategy covers aspects of the Technology Solutions business, including:
- Advarra corporate information security and privacy policies
- Physical and environmental security
- Operational information security processes
- Secure Software Development Lifecycle (SDLC) procedures
- Customer data handling policies
- Third-party managed infrastructure partners and cloud providers
We have achieved the ISO 27001 certification, which is a globally recognized standard for security management systems. This certification validates our adherence to the highest level of security practices and procedures, reducing the risk of information breaches for our customers. Our data security strategy encompasses all aspects of our products and infrastructure, ensuring that we deliver the most secure solutions in the market.
We are proud to announce that we have achieved the ISO 27701 certification, which is the international standard for privacy information management systems. This certification validates our adherence to the highest standards of data protection and privacy governance, reducing the risk of data breaches and enhancing the trust of our customers. Our data privacy strategy encompasses all aspects of our products and infrastructure, ensuring that we comply with the relevant laws and regulations and respect the rights and preferences of our customers.
Advarra Corporate Security and Privacy: Policies and Procedures
We have comprehensive information security and privacy related policies and procedures in place.
Advarra has extensive policies and procedures in place to protect the rights of individuals whose personal information we process, including extensive procedures to support individuals who wish to exercise these rights.
Employee Background Checks, Training, and Authorization
Every Advarra employee is subjected to a background check prior to hire. Upon hire, each employee is required to sign the employee handbook which outlines Advarra ethical expectations and an acknowledgment of sanctions applied for the failure to comply with security and privacy policies and procedures. When hired and on an annual basis, each employee is required to complete company information security program and customer data handling process training.
We value our clients’ trust and privacy, and we take the security of their data seriously. That is why we have established a new policy for all technology solutions staff who work with sensitive information. They must complete an advanced security training course that teaches them how to protect and handle data securely. The course covers important concepts such as encryption, authentication, authorization, auditing, and incident response. It also explains the potential threats and consequences of data breaches, and the best practices to avoid them. The course is compulsory and applies to all who have access to client data.
Advarra’s office security is one of the aspects of its quality and information security management system, which follows industry best practices and standards. Advarra’s office security uses electronic systems to control and monitor the entry and exit of authorized personnel. The systems record every access attempt and flag any unauthorized or suspicious activity. Advarra takes swift and appropriate action to ensure the safety and security of its offices.
Workstation and Laptop Security
Our company takes data security seriously and implements various measures to protect our systems and information. We use encryption software on all our workstations and laptops to prevent unauthorized access to our data. We also run antivirus scans regularly on our devices to detect and remove any malware or viruses. Our antivirus software is always up to date with the latest definitions and updates. We monitor our workstations through a central management console where our information security team members can review any alerts or warnings and take appropriate action when needed. We also have policies in place to enforce strong passwords and screen lock after 15 minutes of inactivity on our devices. These policies help us maintain a high level of security and compliance.
Malware detection at Advarra is a vital process for protecting computers and files from malicious software. Malware detection involves using multiple tools and techniques to scan, identify, and remove malware from a device or a network. Some of the tools and techniques that Advarra uses are antivirus software, firewall, intrusion detection system, sandboxing, and behavioral analysis. These tools and techniques help Advarra to detect and prevent various types of malware, such as viruses, worms, trojans, ransomware, spyware, adware, and rootkits. Malware detection at Advarra is not only important for the security of the company’s data and systems, but also for the safety and privacy of its clients and partners. By detecting and removing malware, Advarra can ensure that its services are reliable, trustworthy, and compliant with the industry standards and regulations.
We take the security of our customers’ data very seriously. To protect it from unauthorized access and malicious attacks, we have implemented multiple monitoring systems that track and analyze the logs generated on our systems that store customer data. These systems can detect and block suspicious IP addresses automatically and alert our information security team. Our team then reviews, investigates, and responds to any security incidents or threats promptly and effectively. We also collect and maintain a set of essential logs that help us investigate and resolve any security-related issues.
Advarra Software Development Lifecycle Security Procedures
Advarra designs security and privacy controls into all products delivered to customers.
People and Process
We have taken steps to ensure application security awareness across the SDLC team. Most notably:
- Advarra employs engineering standards and best practices centered on OWASP principles.
- Coding standards and code review guidelines are well documented.
- Engineers are required to have a working knowledge of the OWASP Top 10, correlating directly to security and vulnerabilities within web-based applications.
- Mandatory peer code reviews are completed on all changes implemented.
These processes, guidelines, and best practices are in use for all Advarra products and are routinely audited to ensure compliance and continual improvement over time.
Advarra utilizes tools in the software build process that analyze the code base for potential security vulnerabilities. The analysis of the code is executed on a regular interval prior to applications being built, packaged, and provisioned to internal test instances. Build failures occur if new vulnerabilities are injected into the code base allowing the engineering team to proactively resolve vulnerabilities.
Advarra has invested in a commercial-grade analysis tool, which is an integrated platform for performing security testing of web applications. The scanning tool is configured and tuned to inspect and discover security vulnerabilities on a deployed/running instance of an Advarra application. As with static analysis, if new vulnerabilities of sufficient severity are introduced by engineering changes, these will be addressed immediately within the same product release.
Ownership of the dynamic scanning of Advarra applications belongs to the Software Test Engineering group. Dynamic scanning is a required process within release readiness activities for all products.
Advarra invests heavily in security analysis and penetration testing on all products and technology solutions networks by a third-party who specialize in such matters. Any vulnerability findings identified through third-party analysis are investigated and if vulnerabilities are found to be of sufficient severity, they are addressed in future releases.
All technology products use enterprise standard operating systems, software, and services, which are commercially supported runtime environments for Java based applications. Advarra ensures that we have:
- Security updates
- Vulnerability mitigations as they release
- SLA-based support from our vendors
- Assurance of patches, updates and multi-year product support
Rigorous security controls required to meet privacy and security requirements have been implemented within the Advarra applications. The specific controls vary based on product requirements but the following are key control areas:
- Protection from Cross-Site Request Forgery (CSRF)
- OWASP (Open Web Application Security Project) recommended libraries that ensure enhanced security
- Avoidance and removal of vulnerabilities as per static/dynamic analysis relating to Cross-Site Scripting (XSS) and arbitrary HTML injection.
- Functionality intended to control/limit the use of HTML within application fields.
- Adherence to the latest standards and recommendations for web application security including the incorporation of a validation framework providing consistent user input validation.
Customer Data Management and Managed Infrastructure
Advarra is committed to protecting the privacy and security of customer data in accordance with the highest standards of the industry. Advarra has established and implemented customer data handling policies and procedures that comply with the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 45 CFR 164.400, and all regulations implementing HITECH and HIPAA, as well as the General Data Protection Regulation (“GDPR”) and other applicable requirements. These policies and procedures cover the collection, use, disclosure, retention, and disposal of customer data, as well as the safeguards and controls that Advarra employs to prevent unauthorized access, misuse, or loss of customer data. Advarra regularly reviews and updates its customer data handling policies and procedures to ensure their effectiveness and alignment with the current best practices and legal obligations.
Third-Party Provider Management
Advarra is committed to ensuring the security and quality of customer data and services. To achieve this, Advarra conducts regular audits of its processes and third-party providers to verify their compliance with industry standards and best practices. Advarra also relies on external certifications of its hosting partners to demonstrate that data is protected by rigorous measures such as ISO 27001, HITRUST, PCI and SOC 2, etc.
One of the key aspects of Advarra’s data management services is the security and protection of customer data. To ensure that customer data is not compromised or exposed during the transfer process, Advarra employs encryption technologies that safeguard the data both in transit and at rest. By encrypting data in transit and at rest, Advarra prevents unauthorized access, modification, or leakage of customer data.
Business Continuity and Disaster Recovery Planning
Advarra is committed to ensuring the security and availability of our hosted customer data in the event of a disaster or emergency. We have developed Business Continuity and Disaster Recovery Planning policies and procedures that define the RPO and RTO for each hosted product. Our hosted services are deployed in a primary and a secondary site that are located in different regions. We regularly test our disaster recovery mechanisms to verify their effectiveness. We also perform daily encrypted backups of our hosted customer data and store them in a secure and reliable manner.
The Advarra Cloud platform extends the above core business capabilities with modern cloud-native approaches to our SaaS offerings.
Continuous Integration & Continuous Delivery (CI/CD)
Advarra Cloud uses a central control plane layer to deploy infrastructure as code via CI/CD pipelines. This ensures that all systems are automatically maintained and that their deployment and management is immutable and evidenced in code. Manual changes, malicious changes, or otherwise are simply written over when the next deployment runs, ensuring the system is always on known good configuration.
Over and above the security certifications and ideals that apply to Advarra as a whole, the Advarra Cloud has these added benefits:
- SOC 2 Certification, System Description, and Report (available on request)
- HIPAA control mapping, evidenced and audited as part of SOC 2
- 21 CFR Part 11 control mapping, evidenced and audited as part of SOC 2
- Encryption everywhere, in-transit and at-rest
- Secure by design, with security being top priority
Advarra Cloud uses extensive automation to avoid manual touches of systems, minimize the possibility of errors, and to streamline and expedite maintenance for the benefit of us and our customers. Our automation has the below benefits:
- Push button deployments to provision systems from nothing to fully running applications with functional initial credentials within minutes
- Push button upgrades to ensure that moving from version to version is seamless and involves as little manual smoothing as possible
- Additional services enabled by simple on/off switches, regardless of additional need for infrastructure or other components
- Dynamic scaling of services to meet peaks in demand
- Zero downtime deployments, lessening the burden on ourselves and our customers to arrange maintenance windows