THIS DATA PROTECTION AND INFORMATION SECURITY POLICY represents the core information security policies and procedures for AvePoint, as it pertains to our treatment of customer data. Our information security program is a structured approach to develop, implement, and maintain an organizational environment that is conducive to appropriate information security, and it is AvePoint’s goal that all customer interactions reflect our respect for information privacy and our commitment to transparency in communication.
1. How AvePoint Categorizes Data
1.1 AvePoint Data Categories and Definitions
Is the information about administrators supplied during signup, purchase, or administration of AvePoint services, such as names, phone numbers, and email addresses. It also includes aggregated usage information and data associated with your account, such as the controls you select. We use administrator data to provide services, complete transactions, service the account, and detect and prevent fraud.
Is all data, including all objects and containers that reside in customer's environments. Customer Data includes, for example, SharePoint site collections, lists and libraries, or Exchange mailboxes, as well as customer content, which is a subset of Customer Data that includes, in part, Exchange Online email body and attachments, SharePoint Online site file content, and IM conversations.
Is information provided by you, or on your behalf, that is used to identify or configure application, such as backup settings, service requests, as well as object/container scopes, but does not include their content or user identities. Examples of Configuration Data include the site collection URLs, admin user IDs, service requests (and their metadata such as requestor, template and settings, as applicable). Customers should not include Personal Data or other sensitive information in object metadata because object metadata may be shared across global AvePoint systems to facilitate operations and troubleshooting.
Account and Payment Data
Is data that AvePoint collects to maintain a business relationship with you. This includes the information you provide when making purchases with AvePoint. AvePoint does not process credit card payments directly, and all credit card payments are processed by a third party that is responsible for PCI compliance.
Means any information relating to an identified or identifiable natural person. In other words, Personal Data is any data that is associated with a specific person. Personal data provided by our customers through their use of our products and services, such as the names and contact information of customer end users, would also be Account and Payment data. But personal data could also include certain data that is not account and payment data, such as the user id our service assigns to each user; such personal data is considered pseudonymous because it alone cannot identify the individual.
Support and Consulting Data
Means all data, including all text, sound, video, image files, or software, that are provided to AvePoint by, or on behalf of, customer (or that customer authorizes AvePoint to obtain from an Online Service) through an engagement with AvePoint to obtain Professional Services or Support. This may include information collected over phone, chat, e-mail, or web form. It may include description of problems, files transferred to AvePoint to resolve support issues, automated troubleshooters, or by accessing customer systems remotely with customer permission. It does not include Administrator Data or payment data.
Data Storage and Location Matrix
|Data stored and encrypted by AvePoint? (Yes/No/NA)||Data accessible by AvePoint Employees? (Yes/No/NA)||Data storage location|
|Administrator Data||Yes, encryption provided by third party software||Yes, authorized personnel based on business needs||US – Based in Microsoft Dynamics data center|
|Customer Data||Yes, for AvePoint cloud applications that are backup and archiving in nature
NA, for on-premises and other AvePoint cloud applications
|No||Customer selected data center|
|Configuration Data||Yes, for cloud applications
NA, for on-premises
|Yes, for cloud applications, only by authorized support personnel when necessary
during investigation customer initiated support case
No, for on-premises
|Customer selected data center|
|Account and Payment Data||Yes, encryption is provided by third party software||Yes, authorized personnel based on business needs||US – Based in Microsoft Dynamics data center|
|Support and Consulting Data||Yes, disk level encryption||Yes, only by authorized personnel when necessary during investigation customer initiated support case or services||A combination of Azure, AWS and local servers at AvePoint offices.|
Note 1: Cloud applications that are backup and archiving in nature (for example, Cloud Backup and Cloud Archiving) will copy Customer Data to encryption-enabled Azure Storage located in the data center selected by customer, under instructions from customer's personnel. The stored backup data is further encrypted by application with keys unique to each tenant. No AvePoint employees can access the unencrypted content on the storage. In addition, customers have the option to use their own encryption key (BYOK) and their own storage (BYOS).
Note 2: In order to perform their intended functions, the cloud applications need to access the Application Tokens or Service Accounts authorized by customers. The Application Tokens and Service Account credentials are encrypted by the applications with AES 256 using keys unique to each customer. No AvePoint employees can access them. In addition, a Bring-Your-Own-Key (or BYOK) option is available to perform the encryption using customers' own keys.
General. When a customer tries, purchases, uses, or subscribes to AvePoint Products, or obtains support for or professional services with such products, AvePoint collects data to provide the service (including uses compatible with providing the service), provide the best experiences with our products, operate our business, and communicate with the customer. For example:
- When a customer engages with an AvePoint sales representative, we collect the customer’s name and contact data, along with information about the customer’s organization, to support that engagement.
- When a customer interacts with an AvePoint support professional, we might collect device and usage data or error reports to diagnose and resolve problems.
- When a customer pays for products, we collect contact and payment data to process the payment.
- When AvePoint sends communications to a customer, we use data to personalize the content of the communication.
- When a customer engages with AvePoint for professional services, we collect the name and contact data of the customer’s designated point of contact and use information provided by the customer to perform the services that the customer has requested.
1.2 How AvePoint Manages Data
You Own Your Data
Customer Data is only used to provide agreed upon services and if you leave the service, we take the necessary steps to ensure the continued ownership of your data.
Where Your Data Is Located
The data location depends on the specific nature of the data as outlined in the Data Storage and Location Matrix.
1.3 Who Has Access To Data
You do! We take strong measures to help protect Customer Data from inappropriate access or use by unauthorized persons, either external or internal, and to prevent customers from gaining access to one another’s data. AvePoint operations and support personnel are located around the globe to help ensure that appropriate personnel are available 24 hours a day, 365 days a year. We have automated a majority of our service operations so that only a small set requires human interaction. More details are available in the Data Storage and Location Matrix.
2. Privacy and Information Security
2.1 Information Security
AvePoint will perform and provide the Services to our customers in such a manner so as to minimize the threat of unauthorized access to confidential information. AvePoint has implemented and maintains a comprehensive, written information security program that contains administrative, technical and procedural measures and physical safeguards designed to protect the security and confidentiality of confidential information, and to protect against any anticipated threats or hazards to the security and integrity of such information. AvePoint utilizes appropriate security measures, including: (i) encryption during the transmission or storage of customer provided data at all times, to the current national recognized industry standards, such as the Advanced Encryption Standard (AES 256); (ii) maintaining an intrusion and vulnerability management program; (iii) centrally managed and automatically updating anti-malware technology; (iv) tracking and monitoring of all access to network resources; and (v) appropriate technological measures to prevent data leakage.
2.2 Security Assessment
At least annually, AvePoint will perform a security assessment of the Services. The security assessment will include, but is not limited to: (i) an ISO 27001:2013 certificate or equivalent; (ii) a web application assessment of the public-facing system or website; and (iii) a summary of its vulnerability testing.
2.3 Security Logging and Monitoring
If applicable, tenant level audit logs will be available to customers, which can be exported by the customer at its convenience. The tenant level audit logs will contain, as applicable, the following:
- User account information;
- Time stamps; and
- Operation actions performed by users
2.4 Configuration and Change Management
AvePoint has a documented and functional configuration and change management process which includes testing of all changes in production environments and documented approval process of changes.
2.5 Security Awareness Training
AvePoint also has a documented mandatory information security training and security awareness program. This includes general awareness training for all employees as well as role-specific training.
2.6 Secure Coding
AvePoint follows a set of secure coding guidelines such as the OWASP secure coding guidelines.
2.7 Incident and Breach Response Program
AvePoint has in place an incident response program to mitigate, detect and respond to security incidents which includes the tools to find, eliminate or isolate the cause of any such security incident.
2.8 Multi-Factor Authentication
AvePoint employs a multi-factor authentication (as supported) for administrative access to any AvePoint systems supporting customer applications or systems.
2.9 Third Party Vendors
AvePoint’s third party vendor risk assessment program requires vendors to participate in an information security and privacy, GDPR, and due diligence and compliance risk assessment questionnaire, which includes reviews of security certifications such as SOC II, type 2 or equivalent certifications.
2.10 Separation of Duties
AvePoint has appropriate separation of duty (SOD) controls implemented for all system administration user roles that manage Customer’s Client Data or confidential information. All SOD are configured for least privilege to limit AvePoint’s access to customer information and will ensure that no single person has the ability to manipulate the hardware, software, or processing of the Services to commit fraud or perform unauthorized actions without the oversight of another person.
2.11 Access Review
At least annually, AvePoint conducts a review and validation of its systems users’ accounts to ensure the continued need for system access.
2.12 Security Policy
AvePoint has implemented, and maintains, a comprehensive set of security policies that satisfies the requirements set forth herein.
AvePoint reviews its security policies regularly, and particularly following any changes in applicable law, advances in technology or changes to AvePoint’s information systems, in order to verify that the security policies and controls set out therein remain accurate, comprehensive and up to date.
2.13 Standards of Protection
AvePoint strives to secure and protect Customer Data by using at least the same degree of care as AvePoint uses to secure and protect its own confidential and proprietary information, and we work to ensure that in no event is Customer Data treated with anything less than reasonable care.
2.14 Risk Assessments and Mitigation
AvePoint performs regular (at least annually), comprehensive risk assessments with regard to data and business assets (e.g., facilities, equipment, devices, etc.), business processes, the threats against those assets and processes (both internal and external), the likelihood of those threats occurring and the impact upon the organization to determine an appropriate level of Information Security safeguards.
AvePoint manages, controls, and mitigates any risks identified in the Risk Assessment that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any Customer Data.
2.15 Organizational Security
Responsibility – AvePoint assigns responsibility for information security management to appropriate skilled and/or senior personnel only.
‘Need to Know’ Access – AvePoint restricts access to information systems used in connection with the services provided under each applicable customer agreement and/or to Customer Data to only those personnel who have sufficient technical expertise for the role assigned and know his or her obligations and the consequences of any security breach.
Confidentiality – AvePoint personnel who have accessed or otherwise been made known of Customer Data maintain the confidentiality of such information.
2.16 Asset Management
Data Sensitivity – AvePoint acknowledges that it understands the sensitivity of the Customer Data.
Configuration Management – AvePoint has established a configuration baseline for all information systems using suitable knowledge resources, including applicable information security standards, manufacturer recommendations, and industry best practices. AvePoint has established appropriate monitoring to ensure that its information systems are configured in accordance with the established configuration baseline throughout the life of the information system.
2.17 Communications and Operations Management
Penetration Testing – On at least an annual basis, AvePoint will conduct a penetration test of AvePoint’s products.
Data Encryption – As applicable, AvePoint encrypts or protects by other technical means Customer Data in AvePoint’s possession or control so that it cannot be read, copied, changed or deleted by unauthorized personnel while in storage, including when saved on removable media. FIPS 140-2 Level 3 or ISO 19790 Level 3 compliant or equivalent encryption is required for certain data based on Customer determination.
Data Protection During Transmission or Transit – As applicable, AvePoint encrypts using an industry recognized encryption algorithm and protects Customer Data in AvePoint’s possession or control so that it cannot be read, copied, changed or deleted by unauthorized personnel during transmission or transit inside or outside of AvePoint’s internal network.
Network Ports – AvePoint restricts unauthorized network traffic to the environment that may process Customer Data.
Wireless Network – AvePoint ensures use of WiFi (aka 802.11) network traffic is encrypted using WPA2 with the AES encryption algorithm option and mutual authentication between the server and the end devices when accessing systems containing Customer Data.
Malicious Code – AvePoint detects the introduction or intrusion of malicious code on information systems handling or holding Customer Data and at no additional charge to customer, prevents the unauthorized access, disclosure or loss of the integrity of any Customer Data, and removes and eliminates any effects.
2.18 Access Control
Authorized Access – AvePoint maintains the logical separation such that access to all internal systems used by AvePoint that host the business relationship data that is used to provide services to customer will uniquely identify each individual requiring access, and grant access only to authorized personnel based on the principle of least privileges.
User Access Inventory – AvePoint maintains an accurate and up to date list of all personnel who have access to these systems and will have a process to promptly disable within twenty-four (24) hours of transfer or termination access by any individual personnel.
Authentication Credential Management – AvePoint communicates authentication credentials to users in a secure manner, with an appropriate proof of identity check of the intended users. Passwords are not be stored or transmitted in readable form.
Logging & Monitoring – AvePoint logs and monitor all access to these information systems for additions, alterations, deletions, and copying.
Multi-Factor Authentication for Remote Access – AvePoint uses multi factor authentication and a secure tunnel when accessing systems containing Customer Data remotely.
Multi-Factor Authentication for Internet Facing Applications – AvePoint requires multi-factor authentication for all users of Internet facing applications which permit financial instructions/transactions or display personally identifiable information.
2.19 Use of Laptops and Mobile Devices
Encryption Requirements – AvePoint encrypts any laptops or mobile devices (e.g., phones) containing Sensitive Customer Data used by AvePoint’s personnel using an industry recognized encryption algorithm with at least 256 bit encryption AES (or equivalent).
Secure Storage – AvePoint requires that all laptops and mobile devices be securely stored whenever out of the personnel’s immediate possession. In the event of a lost or stolen laptop or other mobile device containing Customer Data, AvePoint shall promptly notify customer.
Network/ Systems Password Storage – AvePoint prohibits use of laptops or other mobile devices (e.g., phones) to store network or system passwords that enable access to Customer systems or other systems that handle or hold Customer Data, unless such passwords are encrypted.
Remote Wipe/Inactivity Timeout – AvePoint employs access and password controls as well as inactivity timeouts of no longer than thirty (30) minutes on all laptops, desktops and mobile devices used by AvePoint’s personnel and maintains the ability to immediately upon knowledge remotely remove Customer Data from any mobile device lost, stolen or in possession of a terminated personnel.
Laptops/Mobile Devices – AvePoint prohibits access to Customer Data on laptops or mobile devices where the above requirements cannot be met.
2.20 Information Systems Acquisition Development and Maintenance
As shown in the above Data Access and Storage matrix, AvePoint employees do not have access to Customer Data. If applicable (e.g. for AvePoint’s Cloud Backup product), Customer Data will be processed by the AvePoint application solely for the purposes specified in each applicable agreement with a customer. Additionally, the following shall apply:
- No customer production data is used for any other purpose (e.g., QA testing, development testing, User Acceptance Test areas (UAT), training, demonstration, etc.).
- The production environment is a separate environment from any other non-production environment (e.g., development, UAT, etc.).
Software Patching – AvePoint regularly updates and patch all computer software on systems that handle or hold Customer Data, with patching for vulnerabilities rated ‘critical’ or ‘high’ applied within thirty (30) days of patch availability, unless other controls have been applied that mitigate the vulnerability.
Virus and other Malware Management – AvePoint provides protection from viruses and other malware (e.g. spyware, etc.) to AvePoint’s systems that handle or hold Customer Data, using the most recently distributed version of software including virus signatures updated at least every twenty-four (24) hours.
2.21 Incident Event and Communications Management
Incident Management/Notification of Breach – AvePoint has developed and implemented an incident response plan that specifies actions to be taken when AvePoint suspects or detects that a party has gained unauthorized access to Customer Data or systems or applications containing any Customer Data (the “Response Plan”).
The Response Plan includes:
- Incident Reporting – AvePoint will strive to promptly furnish to customer full details that AvePoint has or may obtain regarding the general circumstances and extent of such unauthorized access, including without limitation, the categories of Customer personal data and the number and/or identities of the data subjects affected, as well as any steps taken to secure the Customer Data and preserve information for any necessary investigation.
- Investigation & Prevention – AvePoint uses reasonable efforts to assist customer in investigating or preventing the reoccurrence of any such access and strives to (i) cooperate with the customer in its efforts to comply with statutory notice or other legal obligations applicable to customer or its clients arising out of unauthorized access or use and to seek injunctive or other equitable relief; and (ii) promptly take all reasonable actions necessary to prevent a reoccurrence of and mitigate against loss from any such authorized access.
- Personnel Training and Confidentiality – AvePoint has robust policies and procedures in place to ensure that all personnel fully understand the process and conditions under which they are required to invoke the appropriate incident response. AvePoint maintains strict confidentiality regarding actual or suspected authorized possession, use or knowledge of Customer Data or any other failure of AvePoint’s security measures or non-compliance with its security policies or procedures.
2.22 Limited Access
With respect to any AvePoint personnel who no longer requires, or is no longer authorized for whatever reason to have, access to Customer Data, where access is managed by customer, AvePoint will strive to so notify customer in writing at least twenty-four (24) hours prior to the date on which such access is no longer required or authorized; unless such access is removed under exigent circumstances such that twenty-four (24) hours prior notice is not possible in which case AvePoint will notify customer immediately upon knowledge that such access is being removed. Notwithstanding the above, AvePoint will immediately terminate access to customer systems and premises by any AvePoint personnel who is either removed or is no longer actively engaged in any customer assignment or if such personnel ceases to be an employee. All customer assets including any equipment, documentation or information will be returned upon the termination of their assignment with customer.
AvePoint strives to:
- Promptly notify customer if AvePoint identifies a gap in the security measures implemented by customer;
- Promptly provide customer with information regarding any failure of Customer’s security measures or any security breach related to Customer Data that AvePoint becomes aware of in connection with its performance of the services at customer’s facilities; and
- Maintain confidentiality towards third parties regarding any such failure of such security measures or any security, subject to legal disclosure obligations.
Customer resources, including computers, software, proprietary information, and telecommunications equipment will not be used for any activity not related to customer business. All assigned mobile devices that connect to customer are in possession of AvePoint’s Personnel at all times or kept in a secure location. The customer’s network will only be accessed through an approved connection (e.g., ASG, SSL VPN etc.).
In no event will any Customer Data be removed from customer’s premises or its network by AvePoint without prior authorization. Additionally, AvePoint personnel are prohibited from the following activities:
- Initiating or facilitating any unauthorized attempts to access customer information assets,
- Storing or sending of Customer Data or intellectual property to personal email accounts or any other personal accounts including, but not limited to, cloud storage accounts, any public location, social media sites, help forums or blogs,
- Copying, downloading or storing of Customer Data or intellectual property to removable data devices unless authorized and the device has been encrypted and approved by customer,
- Sharing of customer credentials (user IDs and passwords) and/or tokens with anyone or the use of customer credentials for accounts other than customer.
3. Personnel Management, Privacy, and Compliance
3.1 Background Check and Security Clearance
AvePoint’s assigned personnel comply with the customer’s policies and rules, including those relating to facilities access, systems access operating standards and procedures, user identification and password controls, corporate information, security and data protection and privacy, as in effect and as communicated to and accepted in writing by AvePoint from time to time as a condition to being provided access to customer’s premises, systems or Customer Data. AvePoint will not, and will ensure that AvePoint personnel do not, break, bypass, or circumvent, or attempt to break, bypass or circumvent, any security system of customer, or obtain, or attempt to obtain, access to any Customer Data other than as allowed by customer in compliance with this Policy.
AvePoint personnel assigned to perform the services or otherwise having access to Customer Data may, in AvePoint’s sole discretion, be subject to appropriate pre-employment background investigations performed by or on behalf of AvePoint consistent with industry standards taking into consideration the confidential nature of the services to be performed and the risk and severity of damage to customer or others that might result from its personnel’s negligence or wrongful conduct. Upon written request from customer and subject to applicable data protection restrictions, in its sole discretion, AvePoint will make available evidence (such as invoices for services) that the background investigations have been performed on such personnel.
3.2 Physical Security
Securing Physical Facilities – AvePoint maintains AvePoint internal systems in a physically secure environment that restricts access to only authorized individuals, detects any unauthorized access or access attempts, and reports incidents and non-conformance of security policy to management. A secure environment includes 24x7 security personnel governance or equivalent means of monitoring of controls for all relevant locations (including, without limitation, buildings, computer facilities, and records storage facilities).
3.3 Personal Data
Compliance – To the extent applicable, AvePoint will retain, handle, process, host, have access to and/or otherwise use any personal data contained within the Customer Data perform its obligations hereunder in a manner that complies with all applicable laws, rules, regulations, ordinances, directives, decisions and codes, including, without limitation, relevant data protection and privacy laws.
Global Data Protection and Privacy – If and to the extent (i) AvePoint as a Processor processes Personal Data on behalf of customer as a Controller (as defined in Article 4 of the GDPR), and (ii) the customer is established within the EEA or Switzerland and/or to the extent AvePoint Processes Personal Data of Data Subjects located in the EEA or Switzerland on behalf of customer or a customer affiliate, the Parties will comply with the terms of and complete and execute AvePoint’s Data Processing Addendum (“DPA”) for the purpose of ensuring that such Processing is conducted in accordance with applicable laws, including EU Data Protection Legislation (as defined within the DPA). Capitalized terms used in this section shall be defined in any applicable DPA, and capitalized terms used but not defined herein or in such DPA shall have the same meanings as set out in any applicable agreement between AvePoint and the customer.