Security​

Avanade takes customer privacy and confidentiality concerns seriously.  The Avanade SSAE 16 Type II SOC I (formerly SAS 70) compliant network operating centers employ an array of physical, procedural, toolset and data security measures, including:

• Avanade is a SSAE 16 Type II SOC I compliant service provider. As such we have annually audited controls in place to ensure compliance.

• Although Avanade does not run any FIPS compliant datacenters, some of our key datacenter partners are FIPS compliant and they certify our services for systems run in their datacenters.

• The Avanade Network Operations Center (NOC) Team consists of highly trained, Microsoft certified professionals who submit to formal background screening up to a Level 5 public trust / moderate risk.

• All sessions to and from the customer and Avanade Network Operation Center are encrypted with algorithms based on the FIPS 140-2 standard.

• The Avanade SecureX management platform allows Avanade to perform maintenance and repair procedures without having direct access to customer server consoles. All actions are validated and logged by this system. Logs are monitored and audited in a multi-tiered fashion within the NOC, ensuring no single person can operate without oversight.

• Avanade standard deployments include the lockdown of application controls.  For instance, Exchange Send/Receive/Read/Write (thus mailbox access) rights to only the mailbox owner. Accounts used by the Avanade team are expressly forbidden access to mailbox content. Any change in these rights is logged and auditable via the Windows Security logs.

• Avanade offices and common areas are isolated from the network operating and data centers.

• Avanade has card access control at all interior and exterior doors.

• Avanade utilizes firewalls, Intrusion Detection Systems and Intrusion Prevention Systems.

• There have been questions regarding Business Associate Agreements (BAA) related to HIPAA and if Avanade is subject to such agreements. Avanade is NOT subject to any BAA related to HIPAA given the criteria detailed by Health and Human Services. The Avanade service does not involve the use or disclosure of PHI and any access would be incidental (mailbox restore, etc.).

• Avanade provides our Managed Services to customers under various regulatory statues, including Sarbanes Oxley, PCI, HIPAA, NERC/CIP, FISMA, GLBA and FFEIC.