At AVI Human Services, we are committed to ensuring that our users’ information remains private and secure. In general, this means that no one is able to access information that they should not be able to access, information cannot be degraded or changed, and information is always available when it should be.
Data Collection
We understand the importance of privacy in our digital age. As such, access to sensitive data within the Transition Readiness Toolkit is strictly controlled. Users are granted access on a need-to-know basis, and all access is logged and monitored for audit purposes. The Toolkit is designed to collect very little Personally Identifiable Information (PII) from its users. This approach ensures the anonymity and privacy of our users, allowing them to use our services with confidence.
User information is generally safeguarded by Drupal Core by properly storing sensitive information and only exposing it to a securely authenticated user. Only administrators and the users themselves have access to this data.
Survey Content and Results
The content of our surveys is stored in the configuration of the site, which appears both in our database and in our code base. See the sections on Platform.sh and Github to see how these are secured.
Response data is stored exclusively in our database. A hierarchical user structure is used within an isolated data model, ensuring that authorized, authenticated users can access this information only within their organization or subordinate organizations. Administrators may grant or revoke access upon request, ensuring that information remains secure and accessible only to those with proper authorization. Additionally, this information is anonymized by policy.
Platform Security
Drupal
The Drupal platform is at the heart of our security model and provides the majority of our security measures. Drupal is an open source project and is subject to continuous audits by its maintainers and users. We adhere to best practices in configuration and promptly apply security patches. You can see Drupal’s security statement here: https://www.drupal.org/security.
Upsun
Upsun is our primary hosting environment. It is contracted with us to manage our infrastructure-level security, including OS updates and access control to infrastructure. It provides many security features, including encrypted storage, automated backups, and robust access controls. We ensure these features are correctly configured through regular reviews and updates.
GitHub
Our codebase is hosted on Github, which provides tools like branch protections, required reviews, and automated security scans. We fully utilize these tools to maintain secure code management practices. We also use GitHub’s Dependabot to complete regular dependency updates.
Additional Security Measures
Our application complies with relevant data protection regulations and industry standards, ensuring that we meet or exceed the requirements for data security and privacy.
Security Audits
We conduct regular security audits to identify and address any potential vulnerabilities. This includes both automated scans and manual reviews by our team of security experts.
Encryption
The data in all parts of our services are encryption-protected. TLS 1.3 and SSH encryption is used for data in transit, and AES 256 encryption is used for data at rest.
Data Backups
We maintain two daily backups of our database. These backups serve as a safety net in case of data loss or corruption. Both backups are kept in Azure blob storage, meaning that there are multiple shadowed copies of the data in separate data centers in Central Washington.
DDoS Protection
We use Cloudflare, a CDN (content distribution network) to provide protection against distributed denial-of-service (DDoS) attacks.
Password Policy
We enforce strong password policies requiring passwords to contain a mix of lowercase and uppercase letters, numbers, and symbols, or to have an entropy of at least 75 bits. Additionally, passwords must not appear in databases of leaked passwords (checked securely and anonymously).
Continuous Integration (CI)
We use CI to ensure key security functionality in accordance with industry standards.
More Information
Our commitment to security is ongoing. We continually monitor emerging security trends and update our practices to ensure the highest level of protection for our users. We believe in empowering our users with the knowledge to use our application safely. Our support team is always available to assist with any security concerns and provide best practices for data protection.