Skip to main content

Adber's Security Measures

Administrator
Updated
This page describes Adber’s technical and organizational security measures (the “Security Measures”) for the Services. As of the Effective Date of the Data Processing Addendum (the “DPA”), these Security Measures form Annex II to the EU Standard Contractual Clauses by reference. Adber may update these Security Measures from time to time to reflect evolving threats, technology, and industry practices, provided such updates do not materially decrease the overall security of the Services during a Subscription Term. Capitalized terms not defined here have the meanings given in the Agreement and the Adber Customer Agreement.
 

1. Information Security Policy

Adber maintains a written information security program that defines roles and responsibilities, policies and standards, risk management, and review cycles appropriate to the nature of the Services and the risks to Customer Personal Data.
 

2. Access Control

2.1 Preventing Unauthorized Product Access

  • Hosting & vendors. We host the Services on third-party cloud infrastructure and use vetted vendors to deliver and operate the product. We apply risk-based due diligence, require contractual data-protection and confidentiality obligations consistent with our data-protection commitments, and restrict vendor access on a least-privilege basis. Our current vendors are listed in the Subprocessors List.
  • Authentication. Users must sign in with unique credentials before accessing the Service. The Service enforces minimum password requirements and a verified email–based password-reset flow. We may update these requirements over time without materially decreasing overall protection.
  • Authorization. Access to Customer Personal Data and product features is enforced by role-based controls in the application. Customers access the Service only via the user interface or APIs; no direct access to underlying infrastructure, databases, or storage is permitted.
  • API access. Public APIs require a valid OAuth 2.0 Bearer token. Tokens are obtained via the OAuth 2.0 client-credentials grant using the Customer’s client ID and secret; requests without a valid token are rejected.
  • Network access control. Production networks are segmented and operate on a deny-by-default model; only required ports and protocols are allowed via security groups and firewall rules (e.g., VPC-style isolation). Implementations may differ by infrastructure provider.
  • Edge threat protection. Internet-facing endpoints are protected by application-layer controls (e.g., request validation and rate limiting) designed to identify and block common attacks; signals from these controls feed centralized monitoring and alerting.
  • Secure development. Source code is subject to automated and/or manual reviews for common security flaws as part of the development lifecycle.
  • Endpoint hardening. Administrative workstations are configured to a baseline hardening standard and protected by endpoint protection tools. Security agents and their detection content are kept up to date.

2.2 Limitations of Privilege and Authorization Requirements

  • Privileged access. Elevated access to production is restricted to authorized personnel and is granted, on a least-privilege basis, through a time-limited approval workflow. Access is logged and monitored, and higher-risk permissions are reviewed periodically. Emergency access, when invoked, is time-limited and subject to post-incident review.
  • Support access. A restricted subset of authorized personnel may access Customer Personal Data through controlled interfaces for support, operations, security incident response, and product maintenance. Such access follows the same approval-based, least-privilege workflow; approvals and access events are logged. Higher-risk permissions are reviewed periodically, and any emergency access is time-limited with post-incident review.

3. Transmission Control

  • In transit. All connections to the Service (web UI and APIs) use HTTPS (TLS). Non-TLS requests are redirected to HTTPS or refused to enforce encryption in transit. Our HTTPS implementation uses industry-standard protocols and certificates.
  • At rest. User passwords are stored using strong, salted, one-way hashing; password reset uses a verified-email workflow. Customer Personal Data stored by the Service is encrypted at rest using industry-standard cryptography; access to encryption materials is restricted and key handling follows documented operational safeguards.

4. Incident Management, Logging, and Monitoring

  • IR plan. Adber maintains a written incident response plan and playbooks covering detection, triage, containment, eradication, recovery, and post-incident review. Further operational details are described in the Documentation (see our Security Incident Management).
  • Logging & monitoring. Security-relevant events (e.g., authentication, access control, system and application activity) are logged and monitored to support detection and investigation of anomalous or malicious activity.
  • Detection & response. Telemetry from the Service and supporting infrastructure feeds centralized alerting. Suspected or confirmed incidents are investigated, tracked through resolution, and subject to appropriate remediation.

5. Availability Control

  • Resilience & maintenance. The Service is designed to minimize single points of failure. Critical components are updated or replaced under change control while traffic continues to be served by healthy instances to minimize disruption.
  • Fault tolerance. Backup and, where feasible, online replication provide redundancy and failover protections for critical components. Replication is performed within the same failure domain and does not include cross–availability-zone redundancy. The Service is engineered to tolerate instance- or node-level failures; an availability-zone-level outage may interrupt the Service until restoration procedures complete.
  • Backups. All production databases are backed up using industry-standard methods. Backups are encrypted, stored separately from primaries, and restoration procedures are verified through periodic tests.
  • Continuity & disaster recovery. We maintain documented business continuity and disaster recovery procedures designed to support restoration objectives appropriate to the Services. Plans are exercised at risk-based intervals and improved based on post-exercise reviews and lessons learned.

6. Vulnerability Management Program

  • Scanning. We perform regular vulnerability scanning of the Service and supporting infrastructure; detection content is kept up to date and findings are triaged by severity.
  • Remediation. Vulnerabilities are remediated on a risk-based, time-bound basis and tracked to closure with verification.
  • Security testing. We conduct periodic security testing to evaluate the effectiveness of controls, which may include third-party assessments. Findings from vulnerability assessments and tests are reviewed, prioritized, and addressed in accordance with Adber’s risk management process.

7. Personnel Management

  • Personnel & training. We staff qualified personnel to develop and operate the Service’s security program. Employees receive role-appropriate security and privacy training. Personnel with access to Customer Personal Data are subject to confidentiality and acceptable-use obligations.
  • Background checks. Where permitted by applicable law and appropriate to the role, pre-employment background or reference checks are conducted under company policy.
  • Access governance. We give each role only the minimum access it needs, and we use an approval process to grant, update, and promptly remove access when roles change or employment ends.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk