Skip to main content

Aware Platform Security

How we protect your data

At Aware, we make sure that data in our system is protected. We utilize several security features to keep customer data safe.

  • Data encryption in transit (TLS 1.2, SHA2, RSA2048)
  • Data encryption at rest (AES256 – 4096-bit RSA key per tenant, Key Rotation)
  • Multi-tenant Architecture (logically separated)
  • Hardened Network Infrastructure
  • Automated Vulnerability Scanning

The Aware platform is hosted by major cloud provider(s) in the United States. We leverage their platforms and the datacenters backing their services for multiple security controls. Platform-provided physical security controls can be described in detail upon further request. No part of the Aware Platform is hosted from the Aware office corporate LAN, we leverage cloud services for our SaaS offering.

Server Hardening

All servers housing customer data are stored on separate networks other than testing and development servers.

All production servers are hardened to enable only the necessary ports, remove default passwords, disable weak ciphers and protocols, and applied through desired state configuration. All servers are regularly scanned for vulnerabilities and monitored for proper patching.

Boundary and Network Defense

The production servers that host the Aware platform are backed by platform native DDoS protection. Additional rules for OWASP 10, SANS Top 25, CERT, SQL Injection, and XSS are configured at our endpoints and hosts. A variety of Web Application and host firewalls are in place to help keep the network protected. Ports to these services are whitelisted and the minimal amount of ports are open as needed for the Aware Platform requirements.

Data Storage

Customer data is hosted in our shared infrastructure and separated from other customer data through multi-tenancy.

Content databases are encrypted with separate keys from other customers.

The Aware service is hosted and maintained in industry-leading service providers that offer state-of-the-art service and physical protection. All data storages have had their default cloud access turned off and allow white-listed Aware-only traffic.

Code Security and Testing

Updates made to the source code undergo functional and security testing. Non-production environments are utilized as testing resources and do not contain customer information (only production contains customer information).

We utilize Static and Dynamic scanning to verify our compiled and deployed code is secure to the following standards: Latest OWASP, SANS Top 25, CERT, and PCI.

Penetration Testing

Quarterly Penetration tests are performed by a third party (or at Release milestones) to expose potential vulnerabilities. Additional third-party penetration tests are performed annually as required by platform partnerships. Summary reports for these penetration tests are made available upon request.

Access Controls

At Aware, we operate under two main models: need-to-know and least-privilege. These models, in conjunction with segregation of duties, help add organizational controls to prevent any one user from having too much control.

Systems, as defined by our Records Classification, Retention, and Disposition Policy, are reviewed at-least quarterly to ensure that permissions are current. Account actions are logged within with the Azure platform to provide an audit trail of account actions. Access reviews occur quarterly on these accounts.

System Monitoring and Logs

Aware monitors security related logs to give a comprehensive view of the state of the system at any given time. These logs are retained for 90 days. Alerts and reporting are built into this system to give our engineering team the capability to detect and respond to incidents. Access, Network, Host, and Application logs are all correlated to our log aggregation stack. These logs have additional monitoring and alerting for added visibility into the performance and availability of the production servers. We use tooling that provides vulnerability scanning for all assets in the cloud and this tooling is monitored frequently to ensure gaps are addressed in a timely manner.

Disaster Recovery and Business Continuity Plan

Our Business Continuity Management System is based upon ISO22301. We utilize redundant services to ensure high availability, uptime, and performance. These services were architected to allow for horizontal and vertical scaling. In the event of a disaster, the Aware engineering team leverages the native cloud backups to restore customer data. These backups are encrypted and securely transferred to protect customer data. This BCDR process is tested annually.

Data-disposal and Customer Data Retention

Aware customers can utilize our retention module to limit the length of time in which data is store on Aware servers. At customer request or termination of service, we utilize a secure disposal process which adheres to NIST 800-88 (Guidelines for Media Sanitization) to remove customer data from our data stores. All customer data is removed from the Aware Platform 30 days after termination of service.