VIVAHR is a software-as-a-service (SaaS) business. The company has a dedicated SaaS Operations team that is responsible for ensuring the safe and continuous operation of VIVAHR web services. Members of this team are carefully vetted for reliability and responsibility, and are trained to be knowledgeable and aware of sensitive information.
VIVAHR’s SaaS Operations infrastructure is divided into multiple, geographically dispersed facilities operated by Amazon and internet access is protected by Cloudflare network services. Amazon AWS data centers have obtained ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley accreditation. You can read more about Amazon AWS compliance here.
The VIVAHR SaaS solution is multi-tenant, and logical access controls using authentication and roles ensure the necessary separation between data from different clients. All infrastructure responsibilities live with VIVAHR, and clients are provided with functionality to manage their own users and roles at the application level.
VIVAHR’s business continuity planning (BCP) and disaster recovery (DR) activities prioritize critical functions supporting the delivery of service to our clients. Our systems architecture employs redundancy through the entire infrastructure. No system or service has a single point of failure. Data is always written to at least two separate locations when stored. VIVAHR leverages load balancing on the front-end and replication on the back-end between servers distributed across multiple data centers in North America to ensure uninterrupted operations. Failover tests are performed at least annually as part of scheduled system maintenance.
VIVAHR employs a multi-tier distributed architecture that allows us to scale horizontally as the number of clients and volume of traffic increases. VIVAHR uses multiple monitoring processes and tools to continuously track system resources, applications and capacity. Systems are scaled up when predetermined capacity thresholds are reached.
VIVAHR stores all client data in the SaaS production environment on fully redundant storage systems. Daily and intraday data is backed up on a scheduled basis to a separate secured online storage service. Only VIVAHR SaaS Operations employees have access to backups.
VIVAHR employs industry standard enterprise application management solutions to monitor systems and measure uptime; instrument application performance and behavior; aggregate index and archive application and system logs and trigger alerts based on event logs; and to facilitate alerting, trend analysis, and risk assessment.
VIVAHR employs a public cloud deployment model using both physical and virtualized resources for our SaaS solution. All software maintenance and configuration activities are conducted by VIVAHR employees remotely over a Virtual Private Network.
Only authorized staff have access to production networks and hosts. Development staff members have limited access to production services for debugging and customer support purposes.
All passwords and credentials that enable access to VIVAHR’s production systems and services are stored in secure systems that are only accessible to authorized staff.
VIVAHR employs an automated configuration management system and uses continuous integration and automated deployment management tools to ensure that all changes to production servers, networks, and application software are applied in a deliberate and planned manner. Changes with operational impact are kept to a minimum are only applied during pre-announced maintenance windows. Every change to production, except in cases of emergency, go through the following stages:
Only content intended for general consumption is publicly available.
All systems log to a central repository for analysis and change tracking.
Continuous backups of data are made and stored in redundant locations.
Only authorized personnel may access or restore any data from the backup data sets.
No production node or service is allowed to communicate with other services without credentials.
Configuration of production systems and services is applied automatically and is vetted for security deficits prior to deployment
VIVAHR continuously monitors and responds to active and emerging security threats, including the Open Web Applications Security Project (OWASP) top 10 and Community Emergency Response Teams (CERT) advisories.
Please report security vulnerabilities to [email protected] VIVAHR does not provide monetary bounties for vulnerability reports at this time.
Security updates are applied within seven (7) days in non-emergency cases or more rapidly in the case of an urgent threat.
VIVAHR’s platform also contains a number of security measures to ensure the secure performance of its services.
All data are encrypted in transit and at rest. Web access to VIVAHR SaaS software runs over secure HTTPS connections that employ at minimum TLS1.2 and AES 256-bit encryption.
Access control lists define the behavior of any user of the platform, and limit them to authorized behaviors.
Extensive anti-fraud processes run continuously to detect malicious or harmful use of the platform. These processes are under continuous refinement.
All data have unpredictable identifiers (UUID4) that prevent any individual contributor from predicting or accidentally overwriting other storage entities.
All end user activity is extensively instrumented and logged to enable audit tracing for security and customer support purposes.
All VIVAHR and VIVAHR-client confidential documents, files, and data are stored in the company’s file storage accounts, revision control systems, or otherwise stored in a company-provided external system. Data and files may not be stored locally on laptops only. When a VIVAHR employee or contractor terminates employment, all data stored on company-issued laptops is destroyed.
All employees are issued copies and acknowledge receipt of VIVAHR policies regarding information and data security.
To support the delivery of our services, VIVAHR uses service providers (each, a “Subprocessor”) that may transmit, store and/or process personal data about clients’ candidates and authorized users.
Last modified: January 3, 2023