Data Protection and Information Security Standard

This data protection and information security standard represents the core information security standard practices for AvePoint, as it pertains to our treatment of customer data. Our information security program is a structured approach to develop, implement, and maintain an organizational environment that is conducive to appropriate information security, and it is AvePoint’s goal that all customer interactions reflect our respect for information privacy and our commitment to transparency in communication.

1. How AvePoint Categorizes Data

1.1 AvePoint Data Categories and Definitions

Administrator Data

Is the information about administrators supplied during signup, purchase, or administration of AvePoint services, such as names, phone numbers, and email addresses. It also includes aggregated usage information and data associated with your account, such as the controls you select. We use administrator data to provide services, complete transactions, service the account, and detect and prevent fraud.

Customer Data

Is all data, including all objects and containers that reside in customer’s environments. Customer Data includes, for example, SharePoint site collections, lists and libraries, or Exchange mailboxes, as well as customer content, which is a subset of Customer Data that includes, in part, Exchange Online email body and attachments, SharePoint Online site file content, and IM conversations.

Configuration Data

Is information provided by you, or on your behalf, that is used to identify or configure application, such as backup settings, service requests, as well as object/container scopes, but does not include their content or user identities. Examples of Configuration Data include the site collection URLs, admin user IDs, service requests (and their metadata such as requestor, template and settings, as applicable). Customers should not include Personal Data or other sensitive information in object metadata because object metadata may be shared across global AvePoint systems to facilitate operations and troubleshooting.

Account and Payment Data

Is data that AvePoint collects to maintain a business relationship with you. This includes the information you provide when making purchases with AvePoint. AvePoint does not process credit card payments directly, and all credit card payments are processed by a third party that is responsible for PCI compliance.

Personal Data

Means any information relating to an identified or identifiable natural person. In other words, Personal Data is any data that is associated with a specific person. Personal data provided by our customers through their use of our products and services, such as the names and contact information of customer end users, would also be Account and Payment data. But personal data could also include certain data that is not account and payment data, such as the user id our service assigns to each user; such personal data is considered pseudonymous because it alone cannot identify the individual.

Support and Consulting Data

Means all data, including all text, sound, video, image files, or software, that are provided to AvePoint by, or on behalf of, Customer (or that Customer authorizes AvePoint to obtain from an Online Service) through an engagement with AvePoint to obtain Professional Services or Support. This may include information collected over phone, chat, e-mail, or web form. It may include description of problems, files transferred to AvePoint to resolve support issues, automated troubleshooters, or by accessing customer systems remotely with customer permission. It does not include Administrator Data or payment data.

Data Storage and Location Matrix

  Data Stored and Encrypted by AvePoint? (Yes/No/NA) Data Accessible by AvePoint Employees? (Yes/No/NA) Data Storage Location
Administrator Data Yes, encryption provided by third party software Yes, authorized personnel to based on business needs US – Based in Microsoft Dynamics data center
Customer Data Yes, for AvePoint cloud applications that are backup and archiving in nature
(backup copy)1

Yes, for tyGraph
products2

NA, for on-premises
and other AvePoint
cloud applications
No

*tyGraph has limited
access to customer
resources, using the
principal of least privilege
access, necessary to perform monitoring and
support of the service.
Customer selected
data center
Configuration Data Yes, for cloud applications


NA, for on-premises
Yes, for cloud applications,
only by authorized support
personnel when necessary,
during investigation
customer initiated support
case


No, for on-premises
Customer selected data center
Account and Payment Data Yes, encryption is provided by third party software Yes, authorized personnel based on business needs US – Based in Microsoft Dynamics data center
Support and Consulting Data Yes, disk level encryption Yes, only by authorized
personnel when necessary,
during investigation
customer initiated support
case or services
A combination of
Azure, AWS and local
servers at AvePoint
offices.


Note 1: Cloud applications that are backup and archiving in nature (for example, Cloud Backup and Cloud Archiving) will copy Customer data to encryption-enabled Azure Storage located in the data center selected by customer, under instructions from customer's personnel. The stored backup data is further encrypted by application with keys unique to each tenant. No AvePoint employees can decrypt the encrypted content on the storage. In addition, customers have the option to use their own encryption key (BYOK) and their own storage (BYOS).

Note 2: TyGraph collects content from Yammer posts only for analytics. Document and email content is not part of the data collection. Data is encrypted using TLS 1.2 in transit as per the requirements of Microsoft and encrypted at rest using AES 256, the Microsoft Azure Standard.

Note 3: For the government sovereignty AOS environments (US FedRAMP and 21V), only citizens of these countries will be providing Cloud Ops and support operations.


General. When a customer tries, purchases, uses, or subscribes to AvePoint Products, or obtains support for or professional services with such products, AvePoint collects data to provide the service (including uses compatible with providing the service), provide the best experiences with our products, operate our business, and communicate with the customer. For example:

  • When a customer engages with an AvePoint sales representative, we collect the customer’s name and contact data, along with information about the customer’s organization, to support that engagement.
  • When a customer interacts with an AvePoint support professional, we might collect device and usage data or error reports to diagnose and resolve problems.
  • When a customer pays for products, we collect contact and payment data to process the payment.
  • When AvePoint sends communications to a customer, we use data to personalize the content of the communication.
  • When a customer engages with AvePoint for professional services, we collect the name and contact data of the customer’s designated point of contact and use information provided by the customer to perform the services that the customer has requested.

1.2 How AvePoint Manages Data

You Own Your Data

Customer data is only used to provide agreed upon services and if you leave the service, we take the necessary steps to ensure the continued ownership of your data

Where Your Data Is Located

The data location depends on the specific nature of the data as outlined in the Data Storage and Location Matrix.

1.3 Who Has Access To Data

You do! We take strong measures to help protect Customer Data from inappropriate access or use by unauthorized persons, either external or internal, and to prevent customers from gaining access to one another’s data. AvePoint operations and support personnel are located around the globe to help ensure that appropriate personnel are available 24 hours a day, 365 days a year. We have automated a majority of our service operations so that only a small set requires human interaction. More details are available in the Data Storage and Location Matrix.

1.4 How does AvePoint handle access requests from third parties (in particular governmental authorities such as enforcement or intelligence agencies)?

Any third-party requests for data access are subjected to a legal assessment by qualified personnel. AvePoint will inform customers whose data is affected by such requests without undue delay. Access to or disclosure of a customer’s data will only be granted if AvePoint’s legal assessment has determined that there is an applicable and legally valid basis and that the request must be granted on that basis. Any access or disclosure will be limited to the mandatory minimum. Further, AvePoint will seek legal remedy against the request by any means that have an acceptable prospect of success, including, where applicable, lawsuits or measures of injunctive relief. AvePoint will also reasonably cooperate in the customer's own legal defense against the access request.

1.5 Data Retention and Migration

Upon cancellation, termination or expiration of a Subscription or termination of this agreement, Customer Data in the SaaS Solutions will be preserved for fifteen (15) days (the "Retention Period") and, upon request, made available to Customer within a commercially reasonable timeframe. After the Retention Period, such Customer Data will be permanently deleted from AvePoint's Server and unrecoverable by Customer. After the Retention Period, AvePoint makes no representations or warranties as to the preservation or integrity of Customer Data. AvePoint shall have no obligation to retain Customer Data after the Retention Period, unless otherwise prohibited by law. If Customer renews its Subscription to the SaaS Solutions prior to the end of the Retention Period, Customer Data shall remain available to Customer. AvePoint maintains a retention and deletion schedule per the AvePoint Document Retention and Destruction Policy.

Before the Retention Period ends, Customer may request AvePoint to provide certain data migration and/or export services: (1) Generated Data Export Services Providing a copy of the Customer’s Generated Data for export to another Cloud Storage Provider or on-premises location of Customer’s choosing; or (2) Data Migration Services - Migration services to assist in the transitioning to or from Customer-provided storage to or from alternative storage of Customer’s choosing, or migration of data between Customer’s online services tenant and another online services tenant, whether within the same region or across regions. In either instance, AvePoint shall assess whether and to what extent such export/migration is reasonably possible. If AvePoint elects to provide such services, it will do so at its then current rates, unless otherwise agreed in writing between AvePoint and Customer.

2. Privacy and Information Security

2.1 Information Security

AvePoint will perform and provide the Services to our customers in such a manner so as to minimize the threat of unauthorized access to confidential information. AvePoint has implemented and maintains a comprehensive, written information security program that contains administrative, technical and procedural measures and physical safeguards designed to protect the security and confidentiality of confidential information, and to protect against any anticipated threats or hazards to the security and integrity of such information. AvePoint utilizes appropriate security measures, including: (i) encryption during the transmission or storage of customer provided data at all times, to the current national recognized industry standards, such as the Advanced Encryption Standard (AES 256); (ii) maintaining an intrusion and vulnerability management program; (iii) centrally managed and automatically updating anti-malware technology; (iv) tracking and monitoring of all access to network resources; and (v) appropriate technological measures to prevent data leakage.

2.2 Security Assessment

At least annually, AvePoint will perform a security assessment of the Services. The security assessment will include but is not limited to: (i) an ISO 27001:2013 certificate or equivalent; (ii) a web application assessment of the public-facing system or website; and (iii) a summary of its vulnerability testing.

2.3 Security Logging and Monitoring

If applicable, tenant level audit logs will be available to customers, which can be exported by the customer at its convenience. The tenant level audit logs will contain, as applicable, the following:

  • User account information;
  • Time stamps; and
  • Operation actions performed by users

2.4 Configuration and Change Management

AvePoint has a documented and functional configuration and change management process which includes testing of all changes in production environments and documented approval process of changes.

2.5 Security Awareness Training

AvePoint also has a documented mandatory information security training and security awareness program. This includes general awareness training for all employees as well as role-specific training.

2.6 Secure Coding

AvePoint follows a set of secure coding guidelines such as the OWASP secure coding guidelines.

2.7 Incident and Breach Response Program

AvePoint has in place an incident response program to mitigate, detect and respond to security incidents which includes the tools to find, eliminate or isolate the cause of any such security incident.

2.8 Multi-Factor Authentication

AvePoint employs a multi-factor authentication (as supported) for administrative access to any AvePoint systems supporting customer applications or systems.

2.9 Third Party Vendors

AvePoint’s third party vendor risk assessment program requires vendors to participate in an information security and privacy, GDPR, and due diligence and compliance risk assessment questionnaire, which includes reviews of security certifications such as SOC II, type 2 or equivalent certifications.

2.10 Separation of Duties

AvePoint has appropriate separation of duty (SOD) controls implemented for all system administration user roles that manage Customer’s Client Data or confidential information. All SOD are configured for least privileged access to limit AvePoint’s access to Customer information and will ensure that no single person has the ability to manipulate the hardware, software, or processing of the Services to commit fraud or perform unauthorized actions without the oversight of another person.

2.11 System Access Review

At least annually, AvePoint conducts a review and validation of key users for critical systems to ensure the continued need for access and permissions are appropriate.

2.12 Security Policy

AvePoint has implemented, and maintains, a comprehensive set of security policies that satisfies the requirements set forth below.

AvePoint reviews its security policies regularly, and particularly following any changes in applicable law, advances in technology or changes to AvePoint’s information systems, in order to verify that the security policies and controls set out therein remain accurate, comprehensive, and up to date.

2.13 Standards of Protection

AvePoint strives to secure and protect Customer Data by using at least the same degree of care as AvePoint uses to secure and protect its own confidential and proprietary information, and we work to ensure that in no event is Customer Data treated with anything less than reasonable care.

2.14 Risk Assessments and Mitigation

AvePoint performs regular (at least annually), comprehensive risk assessments with regard to data and business assets (e.g., facilities, equipment, devices, etc.), business processes, the threats against those assets and processes (both internal and external), the likelihood of those threats occurring and the impact upon the organization to determine an appropriate level of Information Security safeguards.

AvePoint manages, controls, and mitigates any risks identified in the Risk Assessment that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any Customer Data.

2.15 Organizational Security

Responsibility – AvePoint assigns responsibility for information security management to appropriate skilled and/or senior personnel only.

‘Need to Know’ Access – AvePoint restricts access to information systems used in connection with the services provided under each applicable Customer agreement and/or to Customer Data to only those personnel who have sufficient technical expertise for the role assigned and know his or her obligations and the consequences of any security breach.

Confidentiality – AvePoint personnel who have accessed or otherwise been made known of Customer Data maintain the confidentiality of such information.

2.16 Asset Management

Data Sensitivity – AvePoint acknowledges that it understands the sensitivity of the Customer Data.

Configuration Management – AvePoint has established a configuration baseline for all information systems using suitable knowledge resources, including applicable information security standards, manufacturer recommendations, and industry best practices. AvePoint has established appropriate monitoring to ensure that its information systems are configured according with established configuration baseline throughout the life of the information system.

2.17 Communications and Operations Management

Penetration Testing – On at least an annual basis, AvePoint will conduct a penetration test of AvePoint’s products.

Data Encryption – As applicable, AvePoint encrypts or protects by other technical means Customer Data in AvePoint’s possession or control so that it cannot be read, copied, changed or deleted by unauthorized personnel while in storage, including when saved on removable media. FIPS 140-2 Level 3 or ISO 19790 Level 3 compliant or equivalent encryption is required for certain data based on Customer determination.

Data Protection During Transmission or Transit – As applicable, AvePoint encrypts using an industry recognized encryption algorithm and protect Customer Data in AvePoint’s possession or control so that it cannot be read, copied, changed or deleted by unauthorized personnel during transmission or transit inside or outside of AvePoint’s internal network.

Network Ports – AvePoint restricts unauthorized network traffic to the environment that may process Customer Data.

Wireless Network – AvePoint ensures use of Wi-Fi (aka 802.11) network traffic is encrypted using WPA2 with the AES encryption algorithm option and mutual authentication between the server and the end devices when accessing systems containing Customer Data.

Malicious Code – AvePoint detects the introduction or intrusion of malicious code on information systems handling or holding Customer Data and at no additional charge to Customer prevent the unauthorized access, disclosure or loss of integrity of any Customer Data and remove and eliminate any effects.

2.18 Access Control

Systems used by AvePoint that host the business relationship data that is used to provide services to Customer will uniquely identify each individual requiring access, grant access only to authorized personnel based on the principle of least privileges.

User Access Inventory – AvePoint maintains an accurate and up to date list of all personnel who have access to these systems and will have a process to promptly disable within twenty-four (24) hours of transfer or termination access by any individual personnel.

Authentication Credential Management – AvePoint communicates authentication credentials to users in a secure manner, with an appropriate proof of identity check of the intended users. Passwords are not to be stored or transmitted in readable form.

Logging & Monitoring – AvePoint logs and monitor all access to these information systems for additions, alterations, deletions, and copying. Multi-Factor Authentication for Remote Access – AvePoint uses multi factor authentication and a secure tunnel when accessing systems containing Customer Data remotely.

Multi-Factor Authentication for Internet Facing Applications –AvePoint requires multi-factor authentication for all users of Internet facing applications which permit financial instructions/transactions or display personally identifiable information.

2.19 Use of Laptops and Mobile Devices

Encryption Requirements – AvePoint encrypts any laptops or mobile devices (e.g., phones) containing Sensitive Customer Data used by AvePoint’s personnel using an industry recognized encryption algorithm with at least 256-bit encryption AES (or equivalent).

Secure Storage – AvePoint requires that all laptops and mobile devices be securely stored whenever out of the personnel’s immediate possession. In the event of a lost or stolen laptop or other mobile device containing Customer Data, AvePoint shall promptly notify Customer.

Network/ Systems Password Storage – AvePoint prohibits use of laptops or other mobile devices (e.g., phones) to store network or system passwords that enable access to Customer systems or other systems that handle or hold Customer Data, unless such passwords are encrypted.

Remote Wipe/Inactivity Timeout – AvePoint employs access and password controls as well as inactivity timeouts of no longer than thirty (30) minutes on all laptops, desktops and mobile devices used by AvePoint’s personnel and maintains the ability to immediately upon knowledge remotely remove all AvePoint data from any mobile device lost, stolen or in possession of a terminated personnel.

Laptops/Mobile Devices – AvePoint prohibits access to Customer Data on laptops or mobile devices where the above requirements cannot be met.

2.20 Information Systems Acquisition Development and Maintenance

As shown in above Data Access and Storage matrix, AvePoint employees do not have access to Customer Data. If applicable, like the case of cloud backup situation, Customer Data will be processed by AvePoint application solely for the purposes specified in each applicable agreement with a customer. Additionally, the following apply:

  • No customer production data is used for any other purpose (e.g., QA testing, development testing, User Acceptance Test areas (UAT), training, demonstration, etc.).
  • The production environment is a separate environment from any other non-production environment (e.g., development, UAT, etc.).

Software Patching – AvePoint regularly updates and patch all computer software on systems that handle or hold Customer Data, with patching for vulnerabilities rated ‘critical’ or ‘high’ applied within thirty (30) days of patch availability, unless other controls have been applied that mitigate the vulnerability.

Virus and other Malware Management – AvePoint provides protection from viruses and other malware (e.g., spyware, etc.) to AvePoint’s systems that handle or hold Customer Data, using the most recently distributed version of software including virus signatures updated at least every twenty-four (24) hours.

2.21 Incident Event and Communications Management

Incident Management/Notification of Breach - AvePoint has developed and implemented an incident response plan that specifies actions to be taken when AvePoint suspects or detects that a party has gained unauthorized access to Customer Data or systems or applications containing any Customer Data (the “Response Plan”).

The Response Plan includes:

  • Incident Reporting – AvePoint will strive to promptly furnish to Customer full details that AvePoint has or may obtain regarding the general circumstances and extent of such unauthorized access, including without limitation, the categories of Customer personal data and the number and/or identities of the data subjects affected, as well as any steps taken to secure the Customer Data and preserve information for any necessary investigation.
  • Investigation & Prevention – AvePoint uses reasonable efforts to assist Customer in investigating or preventing the reoccurrence of any such access and strives to (i) cooperate with the Customer in its efforts to comply with statutory notice or other legal obligations applicable to Customer or its clients arising out of unauthorized access or use and to seek injunctive or other equitable relief; and (ii) promptly take all reasonable actions necessary to prevent a reoccurrence of and mitigate against loss from any such authorized access.
  • Personnel Training and Confidentiality – AvePoint has robust policies and procedures in place to ensure that all personnel fully understand the process and conditions under which they are required to invoke the appropriate incident response. AvePoint maintains strict confidentiality regarding actual or suspected authorized possession, use or knowledge of Customer’s Data or any other failure of AvePoint’s security measures or non-compliance with its security policies or procedures.

2.22 Limited Access

With respect to any AvePoint personnel who no longer requires, or is no longer authorized for whatever reason to have, access to Customer Data, where access is managed by Customer, AvePoint will strive to so notify Customer in writing at least twenty-four (24) hours prior to the date on which such access is no longer required or authorized; unless such access is removed under exigent circumstances such that twenty-four (24) hours prior notice is not possible in which case AvePoint will notify Customer immediately upon knowledge that such access is being removed. Notwithstanding the above, AvePoint will immediately terminate access to Customer systems and premises by any AvePoint personnel who is either removed or is no longer actively engaged in any Customer assignment or if such personnel ceases to be an employee. All Customer assets including any equipment, documentation or information will be returned upon the termination of their assignment with Customer.

AvePoint strives to:

  • Promptly notify Customer if AvePoint identifies a gap in the security measures implemented by Customer;
  • Promptly provide Customer with information regarding any failure of Customer’s security measures or any security breach related to Customer Data that AvePoint becomes aware of in connection with its performance of the services at Customer’s facilities; and
  • Maintain confidentiality towards third parties regarding any such failure of such security measures or any security, subject to legal disclosure obligations.

Customer resources, including computers, software, proprietary information, and telecommunications equipment will not be used for any activity not related to Customer business. All assigned mobile devices that connect to Customer are in possession of AvePoint’s Personnel at all times or kept in a secure location. The Customer’s network will only be accessed through an approved connection (e.g., ASG, SSL VPN etc.).

Notwithstanding anything to the contrary contained in this Standard or each applicable Customer agreement generally, if at any time AvePoint is required to copy (in print, electronic or other form), transport, transmit, transfer or otherwise move any Customer Data to carry out its obligations under each applicable agreement, we will only do so if such printed or moved Customer Data remains on Customer’s premises, and within Customer’s network, as applicable, at all times. In no event will any Customer Data be removed from Customer’s premises or its network by AvePoint without prior authorization. Additionally, AvePoint personnel are prohibited from the following activities:

  • Initiating or facilitating any unauthorized attempts to access Customer information assets,
  • Storing or sending of Customer Data or intellectual property to personal email accounts or any other personal account including but not limited to cloud storage account, any public location, social media sites, help forums or blogs,
  • Copying, downloading or storing of Customer Data or intellectual property to removable data devices unless authorized and the device has been encrypted and approved by Customer,
  • Sharing of Customer credentials (user IDs and passwords) and/or tokens with anyone or the use of Customer credentials for accounts other than Customer.

3. Personnel Management, Privacy, and Compliance

3.1 Background Check and Security Clearance

AvePoint’s assigned personnel comply with the Customer’s policies and rules, including those relating to facilities access, systems access operating standards and procedures, user identification and password controls, corporate information, security and data protection and privacy, as in effect and as communicated to and accepted in writing by AvePoint from time to time as a condition to being provided access to Customer’s premises, systems or Customer Data. AvePoint will not, and will ensure that AvePoint personnel do not, break, bypass, or circumvent, or attempt to break, bypass or circumvent, any security system of Customer, or obtain, or attempt to obtain, access to any Customer Data other than as allowed by Customer in compliance with this Standard. AvePoint personnel assigned to perform the services or otherwise having access to Customer Data may, in AvePoint’s sole discretion, be subject to appropriate pre-employment background investigations performed by or on behalf of AvePoint consistent with industry standards taking into consideration the confidential nature of the services to be performed and the risk and severity of damage to Customer or others that might result from its personnel’s negligence or wrongful conduct. Upon written request from Customer and subject to applicable data protection restrictions, in its sole discretion, AvePoint will make available evidence (such as invoices for services) that the background investigations have been performed on such personnel.

3.2 Physical Security

Securing Physical Facilities – AvePoint maintains AvePoint internal systems in a physically secure environment that restricts access to only authorized individuals, detects any unauthorized access or access attempts, and reports incidents and non-conformance of security policy to management. A secure environment includes 24x7 security personnel governance or equivalent means of monitoring of controls for all relevant locations (including, without limitation, buildings, computer facilities, and records storage facilities).

3.3 Personal Data

Compliance – To the extent applicable, AvePoint will retain, handle, process, host, have access to and/or otherwise use any personal data contained within the Customer Data perform its obligations hereunder in a manner that complies with all applicable laws, rules, regulations, ordinances, directives, decisions and codes, including, without limitation, relevant data protection and privacy laws.

Global Data Protection and Privacy – If and to the extent (i) AvePoint as a Processor processes Personal Data on behalf of Customer as a Controller (as defined in Article 4 of the GDPR), and (ii) the Customer is established within the EEA or Switzerland and/or to the extent AvePoint Processes Personal Data of Data Subjects located in the EEA or Switzerland on behalf of Customer or a Customer Affiliate, the Parties will comply with the terms of and complete and execute AvePoint’s Data Processing Addendum (“DPA”) for the purpose of ensuring that such Processing is conducted in accordance with applicable laws, including EU Data Protection Legislation (as defined within the DPA). Capitalized terms used in this Section shall be defined in any applicable DPA, and capitalized terms used but not defined herein or in such DPA shall have the same meanings as set out in any applicable agreement between AvePoint and the Customer.

Visit Trust Center for more information