Compliance with security/audit framework

At Aivo, we have our own ISO certifications (ISO 27001 and ISO 9000), ensuring compliance with legal requirements and secure handling of information. The remaining certifications are from our cloud infrastructure provider, Amazon Web Services (AWS aws.amazon.com/security).

Segmentation of environments

Our production environment is completely separate from DEV, TEST and QA. Aivo doesn't use data from the production environment in other environments.

We have AWS IAM to manage separate and restricted AWS credentials for each of our environments. This limits the services available for each environment and divides them into compartments.

Thanks to strict role-based access control (RBAC), we avoid any type of incorrect access. We also use two-factor authentication for this kind of access.

Data protection

To guarantee data protection, we use strict access controls along with robust encryption.

Aivo staff doesn't access or interact with customer data or applications as part of normal operations, unless requested or as required by law.

All of our customers’ data (whether stored or traveling over public networks) is encrypted using TLS 1.2 or higher. Implementing TLS establishes the use of strong, industry-approved encryption.

Databases are encrypted using the AES-256 algorithm.

High availability

Aivo has developed a high availability setup based on active-active clusters, supported by the use of multi zones, ensuring that each service is active in at least three computer centers simultaneously.

Database replication has also been implemented with a master-slave setup, each with automatic replication in a different zone. This deployment automatically provides and maintains synchronous standby replication within a different availability zone.

The entire solution is behind a load balancing cluster that handles distributing the workload among all the instances.

Data isolation

We offer our services through multi-tenant architecture. This means the application and infrastructure are shared among several customers.

To ensure the confidentiality, integrity and availability of customer information, our solution ensures that:

• Each customer can only access their own data and metadata.
• Dynamic scalability to satisfy peak demand.
• Each customer can only see their settings and customizations.
• Excessive consumption by one customer doesn't affect performance for other customers.

Data privacy

We are GDPR-compliant. We protect the personal data of customers and users thanks to specially designed technical, physical and administrative security measures.

We don't store sensitive customer information. The data we collect is strictly detailed in our Privacy Policy.

We only use the collected information in accordance with this policy and for specifically stated reasons.

We guarantee the data protection rights of customers and users and provide a way to exercise them effectively.

If you have any concern, contact our Privacy Officer: Florencia Scarafía (legal@aivo.co)

Security in apps and infrastructure

We have external providers that regularly analyze and monitor our apps and network to detect vulnerabilities. This helps us avoid potential security problems on our apps, servers and network layers. Assessments include:

• Testing web applications to detect known security vulnerabilities, including cross-site scripting, SQL injection, etc.
• Vulnerability scans for insecure configurations on servers.
• Different authentication measures, including Basic, Digest, Kerberos or NTLM.
• Checks against common database injections, like php, jsp, asp SQL and XPath injection attacks.

We also perform regular static and dynamic code reviews.

Single sign-on (SSO)

Honoring our commitment to constantly improve cybersecurity, Aivo added SSO access to the platform. You can login to my.aivo.co through different protocols, such as SAML.

With a single point for login and credentials, productivity and user experience are enhanced. At the same time, it reinforces the company's security against the threats of modern digital life.

Incident management policy

All system events are recorded in a central registry, with any unusual event marked for review.

All the user's actions are recorded in a secure access log, which recognizes the user's information, the time stamp, the IP address, etc. and the resources that are accessed. This information can then be retrieved quickly if a forensic investigation is needed.

We plan to always inform our customers about incidents related to their data security (as soon as it's safe and wise to do so), and we'll share any relevant information to allow customers to take any necessary steps on their end.