Security Overview

Last Updated: [INSERT DATE]

Our Commitment

At AVESYS OU, security is foundational to everything we build. Our products are deployed inside enterprise networks, connecting to mission-critical SQL Server instances. We understand that our customers trust us with access to their most important infrastructure, and we take that responsibility seriously.

1. On-Premise Security Advantage

Your Data Stays With You

Unlike cloud-only monitoring tools, Avesys products are deployed on-premise within your infrastructure. This means:

  • No database content leaves your network. Performance data, query text, schema information, and all database content collected by Avesys DPM, Database Compare, DataForge, and SQL Version Control remains within your infrastructure.
  • No cloud dependency for core functionality. Your monitoring, comparison, masking, and version control operations work entirely within your network.
  • You control access. You define who can access Avesys products, what SQL Server instances are connected, and what data is collected.

Minimal External Communication

The only outbound communications from on-premise installations are:

  • License verification with Avesys licensing servers (transmits only license key ID, product version, and instance count);
  • Update checks for new product versions (optional, can be disabled);
  • Telemetry for product improvement (optional, disabled by default on enterprise plans).

No database content, query text, performance data, or customer-specific information is ever transmitted.

2. Application Security

Secure Development Lifecycle

  • Code review required for all changes before merge;
  • Static analysis and dependency scanning in CI/CD pipeline;
  • Regular third-party security assessments;
  • Secure coding guidelines followed across all products;
  • Vulnerability tracking and remediation SLAs.

Authentication and Access Control

  • Role-based access control (RBAC) across all products and portals;
  • Password hashing using industry-standard algorithms (bcrypt);
  • Session management with secure token handling;
  • Account lockout after repeated failed login attempts;
  • Support for integration with customer's existing authentication infrastructure.

Data Encryption

  • In transit: TLS 1.2+ for all network communications;
  • At rest: Encryption of sensitive configuration data and credentials stored by Avesys products;
  • Credentials: SQL Server connection credentials stored encrypted using AES-256, never in plaintext.

SQL Server Connectivity

  • Avesys products connect to SQL Server instances using the minimum required permissions;
  • Read-only access is sufficient for monitoring (Avesys DPM) and comparison (Database Compare);
  • Connection pooling with configurable limits to minimize impact on SQL Server resources;
  • CPU overhead target: less than 1% impact on monitored instances.

3. Infrastructure Security

Cloud-Hosted Components

For avesys.net website, portals, and licensing servers:

  • Hosted in EU-based data centers;
  • Network segmentation and firewall rules;
  • DDoS protection;
  • Regular security patching and updates;
  • Encrypted backups with tested recovery procedures.

Build and Release Security

  • Automated CI/CD pipelines with security gates;
  • Code signing for released binaries;
  • Integrity verification for software updates;
  • Secure distribution channels for software downloads.

4. Organizational Security

Personnel

  • Background checks for employees with access to customer data or production systems;
  • Security awareness training for all employees;
  • Principle of least privilege for all access;
  • Immediate access revocation upon employee departure.

Incident Response

  • Documented incident response procedures;
  • Dedicated security contact: security@avesys.net;
  • Data breach notification within 48 hours as per our Data Processing Agreement;
  • Post-incident review and remediation for all security events.

Business Continuity

  • Disaster recovery plans for cloud-hosted services;
  • Regular backup testing and recovery drills;
  • Redundant infrastructure for critical services (licensing servers);
  • Documented escalation procedures.

5. Compliance

Current

  • GDPR compliant as an EU-based company (Estonia);
  • Data Processing Agreements available for enterprise customers;
  • On-premise deployment model supports customer compliance requirements.

Planned

  • SOC 2 Type II certification (on roadmap);
  • ISO 27001 alignment (on roadmap).

6. Responsible Disclosure

We welcome security researchers who help us keep Avesys products safe. If you discover a vulnerability:

  1. Email security@avesys.net with details of the vulnerability;
  2. Include steps to reproduce, impact assessment, and any proof-of-concept;
  3. Allow reasonable time for us to investigate and remediate before public disclosure;
  4. Do not access, modify, or delete customer data during testing.

We commit to:

  • Acknowledging receipt within 2 business days;
  • Providing an initial assessment within 5 business days;
  • Keeping you informed of remediation progress;
  • Crediting you (if desired) in our security acknowledgments.

7. Security FAQ

Q: Does Avesys have access to my SQL Server data? A: No. For on-premise deployments, all data processing happens within your network. Avesys does not have access to your database content, query text, or performance data.

Q: What happens if Avesys licensing servers go down? A: On-premise products continue operating with a grace period of at least 7 days. Offline activation is available for air-gapped environments.

Q: Can I disable all external communications? A: Yes. Telemetry and update checks can be disabled. For license verification, offline activation is available upon request for environments that require complete network isolation.

Q: How are my SQL Server credentials stored? A: Credentials are encrypted using AES-256 and stored locally within your infrastructure. They are never transmitted to Avesys or stored outside your network.

Q: Does Avesys DPM impact my SQL Server performance? A: Avesys DPM is designed for less than 1% CPU overhead. The collector agent uses optimized queries, connection pooling, and configurable collection intervals to minimize impact.

8. Contact

For security-related inquiries or to report a vulnerability:

AVESYS OU Security: security@avesys.net Privacy: privacy@avesys.net Website: avesys.net

This Security Overview was last updated on [INSERT DATE].