Advanta
Legal · Security overview
Security overview
This document summarizes Advanta's technical and organizational security measures. It is provided for prospective customers, security questionnaires, and audit reviewers. For the canonical, authoritative version, customers should refer to the executed Data Processing Agreement (DPA).
Compliance posture
| Standard | Status | Detail |
|---|---|---|
| GDPR (Reg. 2016/679) | Compliant | DPA available; DSR mechanisms (export, erasure) implemented; CNPD-aware DPO appointed |
| SOC 2 Type I | Q3 2026 | Vanta engagement; observation period commences Q1 2026 |
| SOC 2 Type II | Q1 2027 | Following Type I, after 6+ months operational evidence |
| ISO/IEC 27001:2022 | When required | Engaged when first tier-1 customer contractually requires it |
| DORA (Reg. 2022/2554) | Documented | ICT third-party risk classification document available; supports financial-entity register obligations |
| PCI DSS | Out of scope | Card data is processed solely by Stripe (PCI Level 1); Advanta never touches PAN data |
Data protection
Encryption in transit
TLS 1.3 enforced on all customer-facing endpoints. TLS 1.2+ for internal services. Strict-Transport-Security with one-year max-age + preload.
Encryption at rest
AES-256 with customer-managed AWS KMS keys (CMK) for RDS, S3, Secrets Manager, EBS, and ElastiCache. Annual key rotation enabled.
BYOK (Bring Your Own Key)
Available on Enterprise plans. Customer's KMS key encrypts the customer's tenant-isolated data. Lifecycle managed by the customer.
Backups
RDS continuous backup with 7-day retention + 35-day point-in-time recovery. Encrypted. Tested quarterly.
Audit log
Compliance-grade audit log with 7-year WORM retention via AWS S3 Object Lock (compliance mode). SHA-256 signed records.
Data residency
All Customer Data stored in eu-central-1 (Frankfurt). Cross-border transfers governed by EU SCCs (2021/914) where unavoidable.
Network security
- Private subnets: all compute, databases, and caches deployed in private subnets with no direct internet ingress
- WAF: AWS WAF protects all public endpoints (OWASP Top 10 ruleset, AWS Managed Rules, IP reputation, rate limiting)
- DDoS: AWS Shield Standard always-on; Shield Advanced available for Enterprise on contract
- Egress controls: NAT-routed only; no SSH/RDP exposed; bastion access via SSM Session Manager (audit-logged)
- VPC Flow Logs: all network flows captured for SOC 2 evidence and security investigations
- mTLS: available for Enterprise API customers requiring mutual TLS authentication at the load-balancer layer
Identity & access management
- Customer auth: SAML 2.0 / OIDC SSO via WorkOS for bank admins; password + WebAuthn 2FA for SMB users
- API keys: SHA-256 hashed at rest (plaintext shown once at creation); per-key scope, rate limit, IP allowlist, optional mTLS
- Internal access: all production access via short-lived AWS SSO sessions with hardware-key MFA; no long-lived IAM users
- Least privilege: ECS task roles, RDS roles, and IAM roles scoped to minimum required permissions; reviewed quarterly
- Break-glass: production root-equivalent access requires two-person approval and is fully audit-logged
Multi-tenant isolation
Advanta is a multi-tenant SaaS. Customer Data isolation is enforced at three layers:
- Application layer: every database query filters by
tenant_idexplicitly - Database layer: Postgres Row-Level Security (RLS) policies; the runtime DB role does not have BYPASSRLS
- Engine roles: migration role (privileged) is distinct from runtime role (RLS-bound)
Customers requiring stricter logical separation may opt into dedicated schema (Enterprise) or dedicated database instance (Tier-1 Enterprise) modes.
Application security
- Static analysis: Semgrep (OWASP Top 10) on every PR
- Dependency scanning: Snyk + Dependabot; high-severity vulnerabilities blocked from merge
- Secret scanning: Gitleaks on every PR; pre-commit hooks for local catches
- SBOM: generated for every container image; published with every release
- Image signing: all production container images signed via Cosign; verified at deploy time
- IaC security: tfsec on every Terraform PR; baseline policies enforced
Penetration testing
- Annual external penetration test by an independent third party (CREST-certified)
- Scope includes web applications, API endpoints, authentication flows, and infrastructure
- Summary letter available under NDA via diogo@advanta.pt
- First scoping engagement: Q2 2026
Vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities. Email security@advanta.pt (PGP key on request) with details. We commit to:
- Acknowledge within 48 hours
- Provide an initial assessment within 5 business days
- Credit researchers in our hall of fame (with permission)
- No legal action against good-faith researchers following our disclosure policy
Incident response
- 24/7 on-call rotation with PagerDuty escalation
- Documented severity classification (SEV1–SEV4) with response time targets
- Customer notification within 72 hours of confirmed PII compromise (GDPR Art. 33)
- Post-incident reviews published as blameless postmortems on the public status page
- Annual tabletop exercises (next: Q3 2026)
Business continuity
| Component | RTO | RPO |
|---|---|---|
| RDS Postgres | 5 min | 5 min |
| API runtime (ECS) | 1 min | n/a |
| Audit log | n/a (immutable) | 0 |
| Region failure (manual standby promote) | 4 h | 1 h |
Insurance
- Cyber liability: €2M cover (in procurement, target Q2 2026)
- Professional indemnity: €1M cover
- Carriers: Hiscox / AIG (final binding pending)
Personnel
- Background checks for all employees with production access
- Annual security awareness training
- Phishing simulations quarterly
- Confidentiality agreements signed at hire
Audit & assurance
Customers on Enterprise plans may, with reasonable advance notice and during normal business hours, conduct audits as set forth in the DPA. We provide:
- Most recent SOC 2 report (when available, under NDA)
- Most recent penetration test summary letter (under NDA)
- Sub-processor list (public, here)
- Security questionnaire responses (CAIQ, SIG, custom)
Contact
Security: security@advanta.pt
Data Protection Officer: diogo@advanta.pt
Vulnerability reports: security@advanta.pt