Skip to searchSkip to main content
Adviser CRM

  • International Security Standards

    Adviser CRM is built on a global platform which is second to none.  Our platform meets the highest security standards and it is audited and tested on a regular basis.  At no time can we access data without your permission.

Client Data Security Statement

Your data is stored in a Client Relationship Management software (CRM) called Adviser CRM.  Below is an explanation of how and where your data is stored.  If you have questions about this statement, please contact your financial adviser directly.  Adviser CRM is a technology partner of Zoho Corporation and Adviser CRM is hosted on their Developer Platform.  One of the driving factors to partner with Zoho was the infrastructure and security they provide.  Adviser CRM is not Zoho CRM.

How secure is your information

We take data security very seriously and being certified for industry standards was a critical consideration when we looked for a Partner.  They have certified standards such as ISO27001:2013 and SOC 2 Type II. They have also taken steps to implement appropriate administrative, technical & physical safeguards to prevent unauthorised access, use, modification, disclosure or destruction of information.


If you have any concerns regarding the security of your data, we encourage you to email us at support@advisercrm.co.nz

INTERNATIONAL CERTIFICATIONS

Adviser CRM is built on a secure and reliable platform, that meets the highest industry security standards.

SOC2 Certification

For SOC 2, AICPA has defined five Trust Services Criteria (TSC) that service organizations can choose to meet: Security, Availability, Processing Integrity, Confidentiality, and Privacy. All SOC 2 reports must cover Security.


Once the TSCs have been chosen, the service provider must define controls to ensure that those criteria are met. For instance, to meet the Security criterion, a service provider might define a control that requires access to all sensitive internal systems to be protected by multi-factor authentication.


There are also 02 types of SOC report: Type I and Type II.

  • A SOC 2 Type I report is a point-in-time report - detailing the systems, tools, and strategies you have in place for keeping customer data secure at a single point in time.
  • SOC 2 Type II report, on the other hand, measures and reports on the effectiveness of a vendor’s security controls over time (generally at least 06 months). To issue a Type II report, a CPA firm not only assesses the design and implementation of a vendor's controls but also evaluates whether the controls were operating effectively over the entire audited period.

What Is SOC2?

SOC stands for "System and Organization Controls", and is a framework governed by the American Institute of Certified Public Accountants (AICPA). It’s the leading industry standard when it comes to security compliance and the most commonly required and accepted way to demonstrate security when conducting business. SOC2 report assures customers, partners and investors that a business has a solid baseline of security and data protection guidelines in place.

ISO/IEC 27001:2013

ISO/IEC 27001:2013 is an international standard for establishing, implementing, maintaining, and continually improving an Information Security Management


System (ISMS)

It was published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC).


What it Does

ISO 27001:2013 provides a structured framework to help organizations:

Identify information security risks

    • Implement appropriate security controls

    • Protect sensitive information (e.g., customer data, intellectual property, financial data)

    • Continuously monitor and improve security practices


Key Features

Annex A controls – Contains a list of 114 security controls (in the 2013 version) across areas such as access control, cryptography, physical security, and incident management.

  • Risk-based approach – Organisations must assess risks and apply controls based on those risks.

  • Annex A controls – Contains a list of 114 security controls (in the 2013 version) across areas such as access control, cryptography, physical security, and incident management.

  • Continuous improvement – Follows the Plan–Do–Check–Act (PDCA) cycle.


Certification

Organisations can be formally certified by an accredited certification body after undergoing an audit to verify compliance with the standard.


Important Note

ISO/IEC 27001:2013 has been superseded by ISO/IEC 27001:2022, which includes updated controls and structural changes. Organisations certified to the 2013 version were required to transition to the 2022 version within the official migration period.

Data Centres

At our Data Centres, a co-location provider takes responsibility of the building, cooling, power, and physical security, while we provide the servers and storage. Access to the Data Centres is restricted to a small group of authorized personnel.

Any other access is raised as a ticket and allowed only after the approval of respective managers. Additional two-factor authentication and biometric authentication are required to enter the premises. Access logs, activity records, and camera footage are available in case an incident occurs.

Zoho have best-in-class data centres across the globe. When you sign up for Adviser CRM, your data is stored in the United States in a Primary Data Centre in Washington and there is also a Secondary Data Centre in Dallas.

Network Security

Our network security and monitoring techniques are designed to provide multiple layers of protection and defence. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Zoho's production infrastructure.

We monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall every day. Additionally, these changes are reviewed every three months to update and revise the rules.

Our dedicated Network Operations Centre team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using our proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.

Network Redundancy

All the components of our platform are redundant. We use a distributed grid architecture to shield our system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and Zoho services will still be available to them.

We additionally use multiple switches, routers, and security gateways to ensure device-level redundancy. This prevents single-point failures in the internal network.

DDoS

We use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.

Server Hardening

All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.

Intrusion Detection and Prevention

Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged.

Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer, we have our proprietary WAF which operates on both whitelist and blacklist rules.

At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any. 

Secure by design

Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production.

Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.

Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection, Cross site scripting and application layer DOS attacks. 

Data Isolation

Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.

The service data is stored on our servers when you use our services. Your data is owned by you, and not by Zoho or Adviser CRM. We do not share this data with any third-party without your consent.

Encryption

In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access.

This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally for email, our services leverages opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. 

Additionally, on the web we flag all our authentication cookies as secure.

At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We own and maintain the keys using our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.

Data Retention and Disposal

We hold the data in your account as long as you choose to use Adviser CRM. Once you terminate your user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months.

The data deleted from the active database will be deleted from backups after 3 months. In case of your unpaid account being inactive for a continuous period of 120 days, we will terminate it after giving you prior notice and option to back-up your data.

A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives and then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).

Malware and Spam Protection

We scan all user files using our automated scanning system that’s designed to stop malware from being spread through Zoho's ecosystem. Our custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns. Furthermore, our proprietary detection engine bundled with machine learning techniques, ensures customer data is protected from malware. 

Zoho supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic. We also use our proprietary detection engine for identifying abuse of Zoho services like phishing and spam activities. Additionally, we have a dedicated anti-spam team to monitor the signals from the software and handle abuse complaints.

Backups

We run incremental backups every day and weekly full backups of our databases using Zoho Admin Console (ZAC) for Zoho's DCs. Backup data in the DC is stored in the same location and encrypted using AES-256 bit algorithm. We store them in tar.gz format. All backed up data are retained for a period of three months.

If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.

To ensure the safety of the backed-up data, we use a redundant array of independent disks (RAID) in the backup servers. All backups are scheduled and tracked regularly. In case of a failure, a re-run is initiated and is fixed immediately. The integrity and validation checks of the full backups are done automatically by the ZAC tool.

From your end, we strongly recommend scheduling regular backups of your data by exporting it from Adviser CRM and storing it locally in your infrastructure.  You can download all of your data and file attachments free of charge twice every month.

Disaster Recovery and Business Continuity

Application data is stored on resilient storage that is replicated across data centres. Data in the primary DC is replicated in the secondary in near real time. In case of failure of the primary DC, secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centres are equipped with multiple ISPs.

We have power back-up, temperature control systems and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, we have a business continuity plan for our major operations such as support and infrastructure management.

Reporting

We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions.

Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.

We respond to the security or privacy incidents you report to us 

Through support@advisercrm.co.nz with high priority. For general incidents, we will notify users through our blogs, forums, and social media.

For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).

Breach Notification

As data controllers, we notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay.