Security and Compliance

Our commitment is to meet and exceed the stringent technical specifications our government customers require

You take the security and protection of your information seriously, and so do we. Authorium builds our software, support, and operations based on stringent standards. We hold SOC-2 Type II certification and StateRAMP Moderate Authorization. We use NIST 800-53 based security controls, with active programs to achieve FedRAMP authorization and certification in HITRUST.

While most companies host application data in standard commercial data centers, Authorium stores your data in AWS GovCloud data centers, which meet the highest Federal, Military, and DoD standards for data protection, business continuity, disaster recovery, infrastructure control, and physical security.

How We Protect Your Data

All of the information that we transmit and store is encrypted using advanced algorithms that meet or exceed FIPS 140-2 standards – the bar that the Federal Government uses to approve cryptographic modules for their use.

Access to your data is strictly controlled by you, through our innovative organization, project, document, and even section-level role-based access control (RBAC) model.

All of your data is securely replicated to multiple data centers, which allows us to quickly enact point-in-time recovery when a disaster or security incident occurs.
Security and encryption keys are always securely kept in hardware security modules (HSM) based Key Management Services that also meet NIST and FIPS 140-2 controls.

Your Identity, Your Control

Authorium connects with your Identity Provider (IdP) in Azure Active Directory (Entra) so that you can control the password policy and multi-factor authentication requirements and provide seamless onboarding/offboarding controls to meet your own security requirements.

Our enterprise solution can also optionally provide non-Active Directory username/password accounts when you need external collaborators outside your organization. These accounts are always under your control and can be removed anytime.

Always Your Data, Defended

Your data is always immediately accessible and can be exported at any time. In the event of contract termination, we will delete all copies of your data after 60 days.

We will never use your data without your agreement. And when we have your agreement, your data is only used for support purposes. Authorium defends your data using well-established policies designed to handle incidents or vulnerabilities quickly.

Intrusion Prevention

Authorium’s production systems surround Intrusion Detection and Prevention systems, including advanced Web Application Firewalls and Secure Network Routing. We employ the principle of least privilege for all systems and infrastructure to control access tightly only when needed.

Our continuous monitoring and Security Information and Event Management (SIEM) systems provide 24×7 protection against malicious behavior – such as data breaches, external attacks, or ransomware.

Secure Hiring

We hire US-based employees and contractors after a complete set of criminal, education, and employment background checks in line with the federal requirements to ensure you can trust our team. Everyone undergoes security awareness training and accepts our information security policies.

AWS GovCloud

Authorium partners with AWS GovCloud for secure cloud solutions to give our government customers the flexibility to architect secure cloud solutions that comply with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.

AWS GovCloud is operated by employees who are U.S. citizens on U.S. soil. AWS GovCloud (US) is only accessible to U.S. entities and root account holders who pass a screening process.

System Security Plan

As required by NIST-171, a System Security Plan (SSP) is available upon request.

Systems Architecture

Authorium is hosted within the AWS GovCloud regions in the United States. AWS GovCloud (US) is FedRAMP High, DoD IL2, 4, 5 and only allows access to US citizens.

Authentication/SSO

The Authorium platform can integrate with your agency’s Azure Active Directory Single Sign On or through our application authentication. Application authentication uses credentials that meet NIST standards and are one-way hashed per the OWASP recommendations.

Technology Recovery Plan

As the California State Administration Manual (SAM) requires, Authorium maintains a Technology Recovery Plan (TRP) available upon request.

System Availability and SLAs

The Authorium platform and APIs utilize redundant data centers and servers to provide our customers with maximum uptime. Our published availability is 99.9%, exceeding this target for the last year.

Failure and Backup

Authorium has designed failover to support several scenarios:

  • Datacenter loss – in the event of a datacenter loss, a redundant datacenter will immediately take over with minimal service interruption.
  • Database loss – if a database becomes unavailable and cannot fail over to another data center, the most recent backups will be utilized to recover data to a new data center. AWS RDS offers continuous backup and point-in-time recovery (PITR). Additionally, snapshots are taken every 30 minutes and retained for 7 years.
  • Image storage loss – images are stored on a system that provides 99.999999999% durability.

For additional information and the ability to request security artifacts, please visit our Trust Center.

How We Protect Your Data

All of the information that we transmit and store is encrypted using advanced algorithms that meet or exceed FIPS 140-2 standards – the bar that the Federal Government uses to approve cryptographic modules for their use.

Access to your data is strictly controlled by you, through our innovative organization, project, document, and even section-level role-based access control (RBAC) model.

All of your data is securely replicated to multiple data centers, which allows us to quickly enact point-in-time recovery when a disaster or security incident occurs.
Security and encryption keys are always securely kept in hardware security modules (HSM) based Key Management Services that also meet NIST and FIPS 140-2 controls.

Your Identity, Your Control

Authorium connects with your Identity Provider (IdP) in Azure Active Directory (Entra) so that you can control the password policy and multi-factor authentication requirements and provide seamless onboarding/offboarding controls to meet your own security requirements.

Our enterprise solution can also optionally provide non-Active Directory username/password accounts when you need external collaborators outside your organization. These accounts are always under your control and can be removed anytime.

Always Your Data, Defended

Your data is always immediately accessible and can be exported at any time. In the event of contract termination, we will delete all copies of your data after 60 days.

We will never use your data without your agreement. And when we have your agreement, your data is only used for support purposes. Authorium defends your data using well-established policies designed to handle incidents or vulnerabilities quickly.

Intrusion Prevention

Authorium’s production systems surround Intrusion Detection and Prevention systems, including advanced Web Application Firewalls and Secure Network Routing. We employ the principle of least privilege for all systems and infrastructure to control access tightly only when needed.

Our continuous monitoring and Security Information and Event Management (SIEM) systems provide 24×7 protection against malicious behavior – such as data breaches, external attacks, or ransomware.

Secure Hiring

We hire US-based employees and contractors after a complete set of criminal, education, and employment background checks in line with the federal requirements to ensure you can trust our team. Everyone undergoes security awareness training and accepts our information security policies.

AWS GovCloud

Authorium partners with AWS GovCloud for secure cloud solutions to give our government customers the flexibility to architect secure cloud solutions that comply with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.

AWS GovCloud is operated by employees who are U.S. citizens on U.S. soil. AWS GovCloud (US) is only accessible to U.S. entities and root account holders who pass a screening process.

System Security Plan

As required by NIST-171, a System Security Plan (SSP) is available upon request.

Systems Architecture

Authorium is hosted within the AWS GovCloud regions in the United States. AWS GovCloud (US) is FedRAMP High, DoD IL2, 4, 5 and only allows access to US citizens.

Authentication/SSO

The Authorium platform can integrate with your agency’s Azure Active Directory Single Sign On or through our application authentication. Application authentication uses credentials that meet NIST standards and are one-way hashed per the OWASP recommendations.

Technology Recovery Plan

As the California State Administration Manual (SAM) requires, Authorium maintains a Technology Recovery Plan (TRP) available upon request.

System Availability and SLAs

The Authorium platform and APIs utilize redundant data centers and servers to provide our customers with maximum uptime. Our published availability is 99.9%, exceeding this target for the last year.

Failure and Backup

Authorium has designed failover to support several scenarios:

  • Datacenter loss – in the event of a datacenter loss, a redundant datacenter will immediately take over with minimal service interruption.
  • Database loss – if a database becomes unavailable and cannot fail over to another data center, the most recent backups will be utilized to recover data to a new data center. AWS RDS offers continuous backup and point-in-time recovery (PITR). Additionally, snapshots are taken every 30 minutes and retained for 7 years.
  • Image storage loss – images are stored on a system that provides 99.999999999% durability.