Avela Security Risk & Compliance

Last Modified: August 12, 2024

Avela empowers district leaders and education administrators to boost enrollment, streamline operations, support families, and promote equity using research-proven approaches. We care deeply about your security and privacy and follow all security best practices and compliance standards.

Avela SOC 2 Type II Compliant

Avela aced our annual compliance audit with “no qualifications.” This process verifies our security, availability, integrity, confidentiality, and privacy policies and practices. SOC 2 is the “gold standard” for compliance and considered the most rigorous report, and the Type II designation means we were also observed for a period of three months.

Avela Security Practices Overview

Information Security

Avela encrypts and protects sensitive information across the transformation and analysis process.

  • Data in Transit - TLS encryption for all data exchanged. Additional security is available for dedicated VPN connections between the customer and Avela.

  • Data at Rest – AES 256-bit encryption

  • Network Security – Intrusion detection systems and alerts to monitor for real-time threats.

Access Management & Authentication

Avela’s platform provides full control of access to all hosted information.

  • Account Authentication: Family access requires email and phone verification, administrative access is done via invitation only

  • Password Policies: Required strength factors (minimum characters, required numbers and special characters, common passwords rejected), salted and hashed password storage, and password resets

  • Granular Access Control and Review: Role-based access, visibility and user access rights. Regular access review and analysis

  • Audit and Access Logging: Detailed tracking and audit logging of all activities related to the application environment and administrative activity.

Software Development Practices

Security processes and have been fully integrated into the Avela software development processes. Developers receive training that focuses on OWASP specific guidelines. In addition, processes are setup to allow for separation of duties and segmentation of platforms with dev, staging, and production.

  • OWASP based security controls design

  • Separation between dev, staging, and prod

  • Use of test data in development environment

  • Code peer review

  • Penetration testing

  • Code repository controls

  • Threat modeling

  • Deployment controls

Infrastructure Security

Avela leverages Amazon Web Services (AWS). We utilize hardening practices from the Center for Internet Security (CIS) Benchmarks for the platform configuration. Avela can make available all standards, AWS certifications and accreditations along with physical security controls.

Company Policies and Procedures

Avela security, risk, and compliance processes were developed based on industry best practices and are reviewed and updated on an annual basis or upon any significant change.

  • Security Policies and Training – All employees go through required training upon hire and must recertify on an annual basis. Policies include:

    • Access Control

    • Business Continuity

    • Disaster Recovery

    • Cryptographic Controls

    • Data Management

    • Human Resources Security

    • Information Security

    • Operations Security

    • Physical Security

    • Risk Management

    • Third Party Risk Management

  • Platform Security – On-going security activities, including:

    • Network intrusion detection and Web Application Firewall

    • Regular external vulnerability scanning

    • Penetration testing

    • System, network, application log analysis, reporting, and retention

  • Incident Response Planning & Team in place to handle any significant security event to triage and respond to establish system resiliency, minimize impact, and protect customer data.

Regular Third-Party Security Review that identifies and evaluates security risks of vendors and third parties.

Standards and Certification

Avela is committed to establishing and maintaining compliance with key information security and regulatory standards, including SOC II and CSA Controls Matrix.

Avela and third-party certification and verification reports are available for limited distribution and shared under non-disclosure agreements.

Helpful Links

CSA Security Standards - https://cloudsecurityalliance.org/star/

AWS Risk and Compliance - https://aws.amazon.com/compliance/programs/ 

Avela Privacy Policy - https://avela.org/terms