Skip to main content

Our Commitment to Data Security

At AdviserAide, we understand that immigration professionals work with highly sensitive and confidential client information. The nature of immigration advisory services means you handle data that requires the highest levels of protection and privacy. Security isn’t just a feature for us - it’s the foundation of everything we build. We’ve invested significantly in building a security-first platform with independent third-party oversight, rigorous compliance standards, and enterprise-grade security controls. This page explains exactly how we protect your data.

SOC 2 Compliance

AdviserAide maintains SOC 2 compliance with independent third-party oversight. SOC 2 is an internationally recognized auditing standard developed by the American Institute of CPAs (AICPA) specifically for service providers that store customer data in the cloud.

What is SOC 2?

SOC 2 compliance means that an independent third-party auditor has verified our security controls, policies, and procedures meet rigorous industry standards for:
  • Security - Protection against unauthorized access
  • Availability - System uptime and reliability
  • Processing Integrity - Complete, valid, accurate data processing
  • Confidentiality - Protection of sensitive information
  • Privacy - Collection, use, retention, and disclosure of personal information

Independent Third-Party Oversight

Unlike self-certification or internal audits, SOC 2 requires continuous monitoring and verification by an independent compliance auditing firm. This means:
  • An external auditor reviews our security controls and practices
  • Access logs are independently reviewed to verify that all data access follows our documented authorization procedures
  • Monitoring checks run automatically every hour to ensure compliance
  • Any deviations from our documented procedures are immediately flagged
You can view our current compliance status and detailed security controls here:
AdviserAide Trust Center

Security Controls Implemented

Data Security Controls - 14 Controls

These controls protect your data throughout its lifecycle:
  • Encryption of data in transit and at rest
  • Access control and authentication mechanisms
  • Data backup and recovery procedures
  • Secure data deletion and retention policies
  • Data loss prevention measures
  • Network security and firewall configurations
  • Intrusion detection and prevention systems

Product Security Controls - 4 Controls

These ensure the AdviserAide platform itself is secure:
  • Secure software development lifecycle (SDLC)
  • Regular security testing and vulnerability assessments
  • Penetration testing by external security firms
  • Security patch management and updates

Corporate Security Controls - 34 Controls

These govern how we operate as a company:
  • Employee background checks and security training
  • Physical security of offices and equipment
  • Incident response and disaster recovery plans
  • Vendor risk management
  • Security policies and procedures
  • Regular security awareness training for all staff

Policies and Documentation - 43+ Policies

Our compliance program is backed by comprehensive documentation:
  • Data protection and privacy policies
  • Access control policies
  • Incident response procedures
  • Business continuity plans
  • Change management procedures
  • And many more governing every aspect of data security

Database Access Controls and Audit

Documented Access Justification

Every single access to production systems must have documented justification. This means:
  • No one can access your data “just to look”
  • Access is only granted with your explicit permission, such as when you submit a support ticket requesting assistance and explicitly give permission to the support engineer in writing
  • All access attempts are logged with timestamp, user, and justification
  • These logs are reviewed by our independent auditor

Database Auditing

Our database systems maintain comprehensive audit logs that track:
  • Who accessed data (which support engineer or system)
  • When the access occurred (timestamp with timezone)
  • What data was accessed (which records or tables)
  • Why access was needed (linked support ticket with your written permission)
  • What changes were made (if any)

Automated Monitoring

An independent third-party compliance monitoring system runs automated checks every hour to verify:
  • All data access is properly authorized
  • Security controls are functioning as documented
  • Code changes follow proper approval processes
  • Infrastructure changes are documented and authorized
Additionally, advanced network monitoring tools continuously scan for suspicious activities every 5 minutes, including:
  • Unusual login patterns or failed authentication attempts
  • Unexpected data access patterns
  • Abnormal network traffic or potential intrusion attempts
  • Unauthorized infrastructure or configuration changes
If any irregularities or suspicious activities are detected, alerts are immediately sent to our security team and the independent compliance auditor.

Development and Code Security

Secure Development Lifecycle

Every code change that goes into production goes through rigorous security controls: Code Change Authorization:
  • All code changes require documented approval before deployment
  • GitHub pull request reviews by at least one other developer
  • Automated security scanning of code changes before merge
  • Complete audit trail tracking who made changes and who approved them
  • No developer can deploy code to production without proper authorization
Change Tracking: Our systems maintain a complete audit trail of all code deployments:
  • Who made the code change (developer name and authorization)
  • When the change was deployed (timestamp)
  • What was changed (code diff and description)
  • Who authorized the deployment (approval chain)
  • Why the change was needed (linked feature request or bug fix)
Infrastructure Change Controls: Any changes to production infrastructure (servers, databases, network configuration) require:
  • Written justification and documented approval
  • Review by security team for compliance impact
  • Automated backup before changes are applied
  • Rollback plan in case of issues
  • Post-deployment verification and monitoring

Multi-Tenant Data Isolation

Data Partitioning Architecture

AdviserAide was architected from day one with data isolation as a core principle. We use a technique called data partitioning and sharding to ensure complete separation between organizations: How it works:
  1. Every single row of data in our databases is partitioned into separate logical buckets
  2. Each organization’s data exists only in their specific bucket
  3. Database queries automatically filter to only your organization’s partition
  4. Multiple layers of security controls enforce strict separation and prevent cross-tenant data access
  5. All queries are validated and filtered to ensure they only return data from your organization’s partition

Encryption

Data in Transit

All data transmitted between your browser and AdviserAide servers is encrypted using:
  • TLS 1.2 or higher (Transport Layer Security)
  • Industry-standard cipher suites
  • Perfect Forward Secrecy (PFS) to protect past sessions
  • HSTS (HTTP Strict Transport Security) to prevent downgrade attacks
This makes it extremely difficult for anyone intercepting network traffic to read the contents of your communications with AdviserAide.

Data at Rest

All data stored in our databases and file storage is encrypted using:
  • AES-256 encryption (Advanced Encryption Standard)
  • The same encryption standard used by banks and government agencies
  • Separate encryption keys for different data types
  • Regular key rotation procedures
  • Hardware security modules (HSMs) for key management
This ensures that even if physical storage media was stolen, your data would remain unreadable without the encryption keys.

Infrastructure Security

Hosting and Data Centers

AdviserAide is hosted on enterprise-grade cloud infrastructure trusted by Fortune 500 companies worldwide:
  • Primary hosting: Microsoft Azure data centers in Australia
  • Secondary hosting: Amazon AWS data centers in Australia
  • Physical security includes biometric access controls, 24/7 security monitoring, and environmental controls
  • Geographic redundancy with automatic failover capabilities

Network Security

Our infrastructure includes multiple layers of network protection:
  • Web Application Firewall (WAF) to block malicious traffic
  • DDoS (Distributed Denial of Service) protection
  • Rate limiting to prevent brute force attacks
  • Intrusion detection and prevention systems
  • Network segmentation to isolate production systems

Vulnerability Management

We proactively identify and address security vulnerabilities through:
  • Regular penetration testing by independent external cybersecurity firms
  • Automated vulnerability scanning of our codebase and infrastructure
  • Security code reviews for all changes
  • Rapid patching process for identified vulnerabilities (typically within 24-48 hours for critical issues)

Backup and Disaster Recovery

Data Redundancy

Your data is protected against loss through multiple redundancy measures:
  • Daily encrypted backups to secure offsite locations
  • Geographic distribution across multiple secure locations
  • 30-day backup retention for point-in-time recovery

Business Continuity

In the unlikely event of a major incident, we maintain documented disaster recovery procedures to restore your data from secure backups. Our backup strategy ensures that your data is protected and can be recovered with minimal disruption to your practice.

Compliance and Industry Standards

Why We Chose SOC 2

We specifically pursued SOC 2 compliance (rather than other standards) because:
  1. Independent Oversight: SOC 2 requires continuous third-party auditing, not just periodic self-assessment
  2. Service Provider Focus: SOC 2 is specifically designed for SaaS companies that store customer data
  3. International Recognition: SOC 2 is recognized and trusted globally, particularly in highly regulated industries

Continuous Improvement

Security is not a one-time achievement. We continuously improve our security posture through:
  • Annual recertification with our independent auditor
  • Quarterly security reviews of all systems and procedures
  • Real-time compliance monitoring to catch any deviations immediately
  • Regular security training for all employees
  • Participation in information security communities to stay current on emerging threats

Transparency and Trust

Trust Center

We believe in transparency. Our Trust Center provides real-time visibility into:
  • Current SOC 2 compliance status
  • Detailed breakdown of our security controls
  • Recent security audits and their results
  • System uptime and availability metrics
Visit: AdviserAide Trust Center

Questions About Security?

We’re committed to transparency about our security practices. If you have questions about:
  • Our SOC 2 compliance program
  • Specific security controls
  • How we handle particular types of data
  • Compliance with regulations in your jurisdiction
  • Enterprise security requirements
Please contact us at support@adviseraide.com
For Enterprise Clients: If your organization has specific security requirements or compliance needs, please reach out to our enterprise team. We’re happy to provide additional documentation, participate in security questionnaires, or arrange for a detailed security review.