Security, Trust, and Compliance

Security of data and reliability of access is essential to the operations of firms in the Private Capital Markets. The Altvia product suite is fully cloud-based and built on trusted providers including Salesforce and Amazon AWS. We integrate as needed with vetted third party systems including HelloSign, PostMark, and Twilio Sendgrid and keep access to our infrastructure to the required (minimal) personnel. We deploy third party penetration testing to verify our overall application security. Our operational policies and procedures that manage the product suite within those environments provide a highly resilient, secure, and trusted experience for our clients.


Data Security

Rigorous standards for access, transmission, storage and retention including best practice encryption standards.

  • Secure password handing and reset procedures as well as up-to-date best practices for password hashing
  • AES256 encrypted files within AWS and as well as 2048-bit RSA for Postmark files
  • Data retention policies based on industry best practices and described in depth in the FAQs below 

Data Reliability

AWS hosted applications use redundant application and database servers to ensure availability. Traffic is routed by load balancers to multiple application servers. Application databases are continuously replicated to warm spares in geographically separate locations for minimal maintenance downtime and quick recovery in the event of server failure. Our AWS hosted application and database servers are maintained in secure data centers with:

    • SSAE 16 Type II and/or ISO 27001 certifications
    • 24/7/365 onsite security and keycard and biometric access controls
    • Redundant and optimized transit and peering connections


Operational Security

Best practice standards for access, authentication, and mitigation including restricted access to our infrastructure and third party penetration testing to verify overall security.

  • Security is a responsibility of all employees and we have continuous checks on password strength, confidentiality agreements, and training on best practices
  • Multiple security checks are invoked throughout the development and QA phases to affirm security before deployment
  • Highly restricted access to our AWS servers


Secure access with SSL / TLS

User access and all data in transit is encrypted using SSL/TLS


2-factor and other Authentication

Employees and users have 2 factor authentication and other verification tools to minimize vulnerabilities


Enforced Mitigations

Mitigations for web security vulnerabilities such as XSS, CSRF, SQL injection and others such as those described by OWASP are enforced


Platform Security

Salesforce: ISO 27001/27017/27018. SOC1, SOC2, and SOC3 Audits. AWS: ISO 9001/27001/27017/27018. SOC1, SOC2 and SOC3 Audits


Compliance Standards

We operate under ISO 27001 standards as well as GDPR standards for our use of information



Redundant measures to maintain uptime and security controls as well as access

Frequently Asked Questions

What tools are a part of the primary infrastructure for Altvia?

Altvia is built with a mixture of Salesforce and Amazon AWS ecosystems and integrated as needed with HelloSign, Postmark, and Twilio Sendgrid

What audit and security standards exist?

● Salesforce: ISO 27001/27017/27018. SOC1, SOC2, and SOC3 Audits
● AWS: ISO 9001/27001/27017/27018. SOC1, SOC2 and SOC3 Audits
● Sendgrid: SOC2 Type II Attestation
● Postmark: SOC2 Type I Attestation

How long do you keep data?

Our Products: Retain customer data in Salesforce and AWS infrastructure indefinitely unless deleted
by customer

  • Sendgrid (Correspond Market Edition): Retains email message activity/metadata (such as opens and clicks) for 30 days. Stores customer’s aggregated sending stats and suppression lists (bounces, unsubscribes) and spam reports (which may contain content) indefinitely, and stores minimal random content samples for 61 days
  • Postmark (ShareSecure and Correspond Investor Edition): Retains email message
    activity/content for 45 days. Bounced message content is retained up to a year, and bounced message activity/metadata is retained indefinitely