Security at Adverant

Cloud Infrastructure

Adverant Nexus is hosted on enterprise-grade cloud infrastructure:

• Primary Provider: Amazon Web Services (AWS) and Microsoft Azure
• Multi-Region Deployment: Geographic redundancy across US, EU, and APAC
• Availability Zones: Data replicated across multiple AZs for high availability
• CDN: Cloudflare for DDoS protection and edge caching

Enterprise customers can choose specific regions for data residency compliance.

Network Isolation and VPCs

• Services deployed in private Virtual Private Clouds (VPCs)
• Network segmentation between production, staging, and development
• Private subnets for databases and internal services
• VPC peering for secure cross-region communication
• Network ACLs and security groups for traffic filtering

DDoS Protection

• Cloudflare WAF (Web Application Firewall) with Layer 7 protection
• AWS Shield Standard for Layer 3/4 DDoS mitigation
• Rate limiting and traffic shaping
• Automated threat intelligence and IP reputation filtering
• Real-time attack monitoring and alerting

Firewall Configurations

• Stateful inspection firewalls at network perimeter
• Default-deny policies for all inbound traffic
• Whitelist-based access for administrative operations
• Regular firewall rule audits and optimization

Encryption at Rest

• Algorithm: AES-256 encryption for all stored data
• Databases: PostgreSQL with Transparent Data Encryption (TDE)
• Object Storage: AWS S3 Server-Side Encryption (SSE-KMS)
• File Systems: Encrypted EBS volumes for all instances
• Backups: Encrypted backups with separate encryption keys

Encryption in Transit

• TLS 1.3: All API and web traffic uses TLS 1.3 with perfect forward secrecy
• Certificate Management: Automated certificate rotation via AWS Certificate Manager
• Internal Communication: Mutual TLS (mTLS) for service-to-service traffic
• Database Connections: SSL/TLS encrypted connections required
• WebSocket Encryption: WSS (WebSocket Secure) for real-time streams

Key Management

• AWS KMS: Hardware security modules (HSMs) for key storage
• Azure Key Vault: FIPS 140-2 Level 2 validated HSMs
• Key Rotation: Automatic key rotation every 90 days
• Access Logging: All key usage logged and monitored
• Separation of Duties: No single person can access encryption keys

Database Encryption

• PostgreSQL: Transparent Data Encryption with AES-256
• Neo4j: Encrypted graph database for knowledge graphs
• Qdrant: Encrypted vector database for semantic search
• Redis: Encrypted in-memory cache with TLS
• Column-Level Encryption: Additional encryption for sensitive fields (PII, API keys)

Multi-Factor Authentication (MFA)

• Required: MFA mandatory for all user accounts
• Methods: TOTP (Google Authenticator, Authy), SMS, hardware tokens (YubiKey)
• Administrative Access: Hardware token required for admin operations
• Session Management: Automatic logout after 30 minutes of inactivity

Role-Based Access Control (RBAC)

Granular permissions based on the principle of least privilege:

• Owner: Full administrative control
• Admin: User management and billing
• Developer: API access and application management
• Viewer: Read-only access to resources
• Custom Roles: Enterprise customers can define custom roles

API Key Management

• Unique API keys per application or environment
• Key rotation with zero-downtime rollover
• Scoped permissions (read-only vs. read-write)
• IP whitelisting for API access
• Automatic key expiration and renewal reminders
• Secure key generation using cryptographically secure random number generators

OAuth 2.0 Integration

• Single Sign-On (SSO) via OAuth 2.0 and OpenID Connect
• Support for major identity providers (Google, Microsoft, Okta, Auth0)
• SAML 2.0 for enterprise identity federation
• Just-In-Time (JIT) user provisioning

Zero Trust Architecture

• No implicit trust based on network location
• Continuous authentication and authorization
• Micro-segmentation of services and data
• Context-aware access policies (device, location, risk score)

24/7 Security Monitoring

• Security Operations Center (SOC) staffed 24/7/365
• Real-time log aggregation and analysis (ELK stack + Splunk)
• Automated anomaly detection using machine learning
• Correlation of security events across all systems
• PagerDuty integration for immediate incident response

Intrusion Detection Systems

• Network IDS: Suricata for network traffic analysis
• Host IDS: OSSEC for file integrity monitoring
• Cloud SIEM: AWS GuardDuty and Azure Sentinel
• Behavioral Analytics: User and Entity Behavior Analytics (UEBA)

Security Incident Response Plan

Our incident response follows NIST SP 800-61 guidelines:

• Detection: Automated alerts trigger incident classification
• Containment: Immediate isolation of affected systems
• Eradication: Root cause analysis and threat removal
• Recovery: Restore services with verification
• Lessons Learned: Post-incident review and process improvement

Incident Notification Procedures

In the event of a security breach affecting customer data:

• Within 72 Hours: Email notification to affected customers
• Status Page: Real-time updates on incident resolution
• Post-Incident Report: Detailed analysis provided within 7 days
• Regulatory Compliance: Notifications to authorities as required by law (GDPR, etc.)

Logging and Audit Trails

• Comprehensive logging of all system access and operations
• Immutable audit logs protected from tampering
• Log retention: 1 year for compliance, 90 days for operational logs
• Audit trail export available for Enterprise customers

SOC 2 Type II

Adverant undergoes annual SOC 2 Type II audits covering:

• Security: Logical and physical access controls
• Availability: System uptime and performance
• Processing Integrity: System processing is complete, valid, and authorized
• Confidentiality: Confidential information is protected
• Privacy: Personal information is collected, used, and disclosed appropriately

SOC 2 reports available to Enterprise customers under NDA.

GDPR Compliance

Full compliance with EU General Data Protection Regulation:

• Data Processing Agreements (DPA) available
• Standard Contractual Clauses (SCCs) for international transfers
• Right to access, rectification, erasure, and portability
• Data Protection Impact Assessments (DPIA) for high-risk processing
• EU data residency options

FedRAMP Ready

Prepared for Federal Risk and Authorization Management Program certification:

• NIST SP 800-53 controls implementation
• Continuous monitoring and reporting
• Air-gapped deployment options for classified environments
• Government cloud infrastructure (AWS GovCloud, Azure Government)

HIPAA Compliance

Available for healthcare customers processing Protected Health Information (PHI):

• Business Associate Agreement (BAA) provided
• HIPAA Security Rule controls implementation
• PHI encryption at rest and in transit
• Access controls and audit logging
• Breach notification procedures

ISO 27001

Certification in progress (expected Q2 2025). Our Information Security Management System (ISMS) follows ISO 27001 best practices.

Regular Penetration Testing

• Quarterly Testing: External penetration tests by certified security firms
• Annual Red Team: Simulated advanced persistent threat (APT) exercises
• Scope: Web applications, APIs, infrastructure, and social engineering
• Remediation: Critical vulnerabilities patched within 48 hours

Security Audits

• Annual third-party security audits (SOC 2, ISO 27001)
• Code security reviews for all major releases
• Infrastructure security assessments
• Compliance audits (GDPR, HIPAA, FedRAMP)

Continuous Vulnerability Scanning

• Network Scanning: Nessus and Qualys for infrastructure vulnerabilities
• Container Scanning: Snyk and Trivy for Docker image vulnerabilities
• Dependency Scanning: Dependabot and Renovate for library vulnerabilities
• SAST: Static Application Security Testing in CI/CD pipeline
• DAST: Dynamic Application Security Testing for running applications

Bug Bounty Program

We welcome security researchers to report vulnerabilities:

• Scope: adverant.ai, api.adverant.ai, and all subdomains
• Rewards: $100 - $10,000 based on severity (CVSS score)
• Response Time: Initial response within 48 hours
• Recognition: Security researchers hall of fame

Report vulnerabilities to security@adverant.ai

Responsible Disclosure Policy

We follow coordinated vulnerability disclosure:

• Do not exploit vulnerabilities beyond proof of concept
• Do not access, modify, or delete customer data
• Do not perform denial-of-service attacks
• Allow us reasonable time to patch before public disclosure (90 days)
• We will not pursue legal action against researchers following these guidelines

Patch Management

• Critical: Patched within 24 hours
• High: Patched within 7 days
• Medium: Patched within 30 days
• Low: Patched within 90 days
• Zero-downtime rolling deployments for most patches

Background Checks

• Criminal background checks for all employees
• Employment verification and reference checks
• Enhanced screening for employees with access to production systems
• Ongoing monitoring for security clearances (government contracts)

Security Training

• Onboarding: Mandatory security training for all new hires
• Annual Refresher: Yearly security awareness training
• Phishing Simulations: Quarterly simulated phishing campaigns
• Specialized Training: Advanced training for security and operations teams

Access Controls

• Least privilege access for all employees
• Just-In-Time (JIT) access for production systems
• Automatic access revocation upon termination
• Quarterly access reviews and recertification
• Hardware security keys required for production access

NDA Agreements

All employees, contractors, and third-party vendors sign Non-Disclosure Agreements (NDAs) covering confidential customer data and proprietary information. Agreements survive termination of employment.

Offboarding Procedures

• Immediate revocation of all access credentials
• Return of company devices and security tokens
• Exit interview covering security obligations
• Continued NDA enforcement post-employment

Physical Security

Our cloud providers maintain SOC 2 certified data centers with:

• 24/7 on-site security personnel
• Biometric access controls (fingerprint, iris scanning)
• Video surveillance with 90-day retention
• Mantrap entry systems and security checkpoints
• Visitor logs and escort requirements

Environmental Controls

• Redundant cooling systems with automatic failover
• Temperature and humidity monitoring
• Fire suppression systems (clean agent, no water damage)
• Uninterruptible Power Supply (UPS) with backup generators
• Flood detection and prevention systems

Redundancy and Failover

• N+1 Redundancy: Critical systems have at least one backup
• Multi-AZ Deployment: Services replicated across availability zones
• Load Balancing: Traffic distributed across multiple instances
• Auto-Scaling: Automatic capacity adjustment based on demand
• Health Checks: Continuous monitoring with automatic failover

Backup Strategy

• Frequency: Continuous replication + daily snapshots
• Retention: 30 daily, 12 monthly, 7 yearly backups
• Geographic Distribution: Backups stored in separate regions
• Encryption: All backups encrypted with separate keys
• Testing: Monthly backup restoration tests

Geographic Redundancy

• Multi-Region: Data replicated across US, EU, and APAC
• Cross-Region Replication: Asynchronous replication to secondary regions
• Failover: Automatic failover to secondary region if primary unavailable
• Data Sovereignty: Enterprise customers can restrict data to specific regions

Recovery Objectives

• RTO (Recovery Time Objective): 4 hours for full service restoration
• RPO (Recovery Point Objective): 1 hour maximum data loss
• Enterprise SLA: Custom RTO/RPO available (down to 15 minutes)

Disaster Recovery Plan

Our DR plan includes:

• Documented procedures for common disaster scenarios
• Defined roles and responsibilities
• Communication plan for stakeholders
• Quarterly DR drills and tabletop exercises
• Post-incident review and plan updates

Business Continuity

• Remote work capabilities for all employees
• Redundant communication channels
• Alternative vendor relationships
• Financial reserves for emergency operations

Successfully completed SOC 2 Type II audit covering Security, Availability, and Confidentiality trust service criteria. Reports available to Enterprise customers under NDA.

Upgraded all services to TLS 1.3 with perfect forward secrecy. Deprecated support for TLS 1.2 and below. All API clients should verify TLS 1.3 support.

Multi-Factor Authentication now mandatory for all user accounts. Users have 30 days to enable MFA before enforcement begins.