Security

When moving to a cloud based platform, customers show concern about the following:

  • Security
  • Data protection
  • Privacy
  • Compliance

As a trusted organization, AIA follows best practices for security, privacy, compliance, and risk management steps as defined in the Cloud Security Alliance (CSA).

Below is a summary of security measures put in place to protect ACD Online Service and their data.  

General

AIA Contract Documents Online Service (ACD5) applies some of the most advanced technology for Internet security that is commercially available today. It is constantly maintained, enhanced and verified by highly-skilled, experienced and trained personnel. Also, since cloud computing in the public cloud has raised some security questions for businesses that have regulatory compliance requirements, ACD Online Service (ACD5) servers and databases reside in private cloud and data centers hosted by the top-tier leader Gartner Magic Quadrants for Cloud enabled Managed Hosting.

User Identity, Authentication, and Security

  • Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. ACD Online Service (ACD5) issues a session cookie only to record encrypted authentication information for the duration of a specific session.
  • Two Factor Authentication: AIA provides 2-factor Authentication Security for unlimited-license users. More information here.
  • Data Encryption: Certain sensitive user data, such as account passwords, are stored in an encrypted format.
  • Data Portability: ACD Online Service (ACD5) enables you to export your data from our system in a variety of formats so that you can back it up, or use it with other applications.
  • Privacy: AIA maintains a comprehensive privacy policy that provides a transparent view of how we handle your data.
  • Logical Separation: Configurations are in place to securely separate user data in order to permit each user to view only his/her related data.
  • User Access to Data:  Users can access their ACD Online Service (ACD5) projects and documents using the browsers from their computers. If ACD5 does not meet a specific user's company security policies, users can also download the documents to their local machine and work offline, and delete their online documents.
  • Data Residency: All ACD Online Service (ACD5) user data is stored in the cloud containers hosted and protected by one of the world leaders in cloud services. ACD Online Service (ACD5) does not store user’s credit card information.

Additional Information

Physical Security

AIA Contract Documents Online Service (ACD5) is hosted in world-class data centers located in the United States.

Availability & Risk Management

  • Connectivity and Up time: Fully redundant IP network connection with high-speed 10 GbE via Cisco routers and F5 BigIP switches. We have continuous up time monitoring, constantly overseeing the security and up time of our infrastructure, with immediate escalation to staff for any downtime.
  • Failover & Disaster Recovery: Our database is replicated in real-time and near real-time data replication between the production data center and the disaster recovery center.
  • Backup Frequency: Backups occur daily at multiple geographically disparate sites.

Vulnerability Management & Security Operations

Working together with our partners, we strive to protect our users’ data through multiple layers of security (physical, logical and data):

Testing: System functionality and design changes are verified in a separated environment and are subject to functional and security testing prior to deployment to active production systems.

Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.

Firewalls and Intrusion Detection System (IDS): The network is secured via ICSA-certified Cisco firewalls and routers. Internal and external traffic and network are segregate between the web, application and back-end database tiers.  An Intrusion Detection System tool is used to proactively identify and prevent intrusions.

Access Control: Secure VPN and framework to ensure only approved staff are granted access to appropriate systems and resources.

Encryption in Transit:  SHA-2 certificates and Transport Layer Security (TLS) cryptographic protocols are used to encrypt both in and outbound traffic and ensuring secure connection from our users’ devices and browsers to ACD Online Service (ACD5). Individual transactions are verified and validated with token.

Information Security Incident Management: Policies and processes aimed at ensuring information security strengths and weaknesses are communicated in a manner allowing timely corrective action.

Virus Protection: Anti-virus software is used to scan uploaded documents.

Penetration Testing & Third Party Scans: External organizations perform penetration tests at least semi-annually.

Organizational & Administrative Security

  • Information Security Policies: The AIA maintains internal information security policies, including incident response plans, and regularly review and update them. AIA prohibits access to user data for any purpose except with user permission to resolve a problem. A limited group in our support and operations team have access to the servers and database (excluding user content) in order to run the operations. Accountability is enforced through a set of system controls, including the use of unique user names, data access controls, and auditing.
  • Employee Screening: The AIA performs background screening on all employees, to the extent possible within local laws.
  • Training: The AIA provides security and technology use training for employees.
  • Access: Secure VPN and framework to ensure only approved staffs are granted access to appropriate systems and resources. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know basis.
  • Audit Logging: The AIA maintains and monitors audit logs on our services and systems.

Governance, Compliance and Controls

The compliance and validation phase is an important collection of audit and review activities that provide assurances that our implemented controls are designed and operating effectively and aligned with the policies set by the security organization. The AIA works closely with our partners to ensure we adhere and comply with security standards in relation to PCI, ISO 27001/27002 and HIPAA.

Security Monitoring and Response

The ACD5 Operation team is continuously monitoring and identifying operational risks. However, if the Operation's team learns of a security breach, the AIA will notify affected users so that they can take appropriate protective steps. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.

Security Best Practices

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems and scan your files using a virus scan. If our security still does not comply with your specific company security policies, you can also download the documents to your local machine and work offline and delete all your online documents.

Customer Requests

If you require additional information, contact AIA Contract Documents Technical Support at 1-800-942-7732 or e-mail DocsTechSupport@aia.org for assistance.

Last updated: October 26, 2016.