CertCapture is a hosted service that enables secure access to documents for browsers and mobile devices. This service is comprised of the following components:
- Browser: On the client side, the end user accesses the system through a Web browser installed on a personal computer or mobile device. Users access the system by visiting an end user website and entering a username and password which is transmitted to a Web Server for authentication. Traffic between browsers and Application Servers is encrypted via SSL/TLS.
- Web Servers: Traffic originating from browsers and mobile apps is handled by hosted, load-balanced web servers that communicate with application servers to process end user requests.
- Application Servers: Application servers, data processing servers, and email servers are housed in a hosted, segmented application environment consisting of Windows and Linux based servers.
- Datastores: Application data and documents are stored in secured and private databases and file stores that are accessed only by application servers.
Avalara delivers compliance document management services using an ASP model designed expressly to ensure robust and secure operation.
CertCapture web servers, application servers, and data stores servers are hosted in secure data centers, which use defined security barriers to protect against fire, flood, earthquake, explosion, or other forms of natural or man-made disaster. Physical access to servers is restricted and guarded by 24/7 security personnel, access cards and pins, multiple mantraps, biometrics, and extensive video surveillance. Avalara headquarters and offices are protected with access cards and 24/7 video surveillance.
Avalara’s access routers are configured to watch for denial of service (DoS) attacks and to log denied connections. Network segmentation and the implementation of hardened Network Access Control Lists (NACLs) through a firewall complex are in place at various trust boundaries including:
- Internet and web servers
- Web servers and application servers
- Application servers and back-end data stores
CertCapture servers run on hardened Linux and Windows servers with the latest security configurations and patches. Vulnerability scans are conducted at least weekly, if not more frequent. Systems are monitored and suspicious or unauthorized activity alerts appropriate personnel to investigate and take mitigating actions.
Remote administration is handled through secure, encrypted connections. Access by Avalara staff is restricted to those associates who are on the CertCapture support engineering teams. User sessions timeout after a specific period of inactivity and role-based access controls are implemented and use the principle of least-privilege. Avalara computers accessing the environment are maintained with automatic application of the latest security patches, virus and malware protection and have strict password policies and access controls.
Secure data in motion
Data in motion between client systems and Avalara systems is secured and encrypted. Web traffic is encrypted using HTTPS, and file transfers are managed through Secure FTP (SFTP). Further, Avalara supports the use of PGP encryption for any data file exchanges. Symmetrically, Avalara can encrypt return download data using the client’s public PGP key prior to SFTP transmission.
Secure data at rest
In-process data is segregated from external interfaces and sensitive data stored in the database is encrypted at rest. Passwords are one-way encrypted using AES 256 encryption, and Tax IDs are two-way encrypted using Blowfish. Systems and data are backed up to ensure the availability of information in the event of a disaster. Media is securely wiped prior to disposal.
Scalable and reliable infrastructure
The CertCapture infrastructure is both robust and secure. High availability is obtained through the use of redundant routers, switches, server clusters and backup systems. Threats to business operations are identified, regularly reviewed, assessed and planned where necessary.
Protecting user privacy
The policy identifies the information gathered, how it is used, with whom it is shared and the client’s ability to control the dissemination of information.
Disclosure of user information
To deliver service, Avalara must maintain user information, like first and last name, email address, account level passwords, account numbers, and sometimes other sensitive data for CertCapture. Avalara doesn't disclose this confidential information to any third party or use this information in any manner other than to deliver agreed services. Even when CertCapture is accessed from a public PC, data left behind poses no privacy threat.
CertCapture uses a cookie to identify authenticated users that have logged in via a web browser. This cookie holds a unique identifier generated at the time of access, but doesn't contain any personally identifiable information or passwords. This cookie is only valid for the length of the user’s browser session.
Access to user information
Avalara operations staff are the only individuals with access to CertCapture servers – limited access is granted on a need-to-know basis for the express purpose of customer support.
There are two types of users of CertCapture:
- Internal users– These are agents of the client organization (Avalara’s customer) that perform certificate management and request services, configure system and users, and monitor system activity. Access is provided by the administration interface.
- External users – These are the end users, the company representatives to which compliance documents and tax exemption data are supplied or leveraged. External users access the system through client-branded web interfaces and/or retail apps.
The administration website is accessible from any Web browser. Clients may opt to restrict access to the administration site to IP addresses originating from their corporate network. This interface provides access to external user information, application configuration and reports. Traffic between the administration interface and browsers is protected using SSL/TLS. Internal users authenticate their access to the administration website with a username and password that needs to be changed every ninety days. CertCapture does not allow new password to be the same as existing password, ensuring that existing passwords are not reused continually.
Data available via the administration website is limited to what is needed for Internal Users to manage their application.
Managing internal user accounts
Once an organization establishes CertCapture service, the administrator is provided with access instructions. Administrators can limit access by users to specific roles with limited abilities. Administrators have the ability to disable access and reset passwords.
Managing external user accounts
External users interact and submit data via CertCapture front end interfaces, but aren't granted access to CertCapture screens, data or reports.
Avalara performs full nightly database backups as well as support for recovery, to the minute. In addition, we perform weekly application server backups. Data is replicated between two data centers which are over 2,000 miles apart. We test disaster recovery and continuity plans quarterly.
Third party systems can be integrated with CertCapture so that data exchanges between multiple systems can be simplified and automated while maintaining a secure system.
To securely connect a client’s customer management system or tax engine with CertCapture without requiring additional login or user interaction, a Client can choose to either integrate with our REST APIs or utilize CertCapture file import and export capabilities. In both cases, data is encrypted during transit. API calls utilize SSL certificates to encrypt entire packets and flat files are sent over an encrypted channel using SFTP mechanism.
Typical response times
Publishing typical response times for common user actions is a challenging task because there are so many variables that could impact speed and system efficiency. Variables include size and number of simultaneous requests on CertCapture , network speed, a Client’s ability to submit data and receive responses, and many others. However, we thought it useful to provide typical response times so that users would have a general sense of expected timing to complete the most common actions.
|Time it takes to... for background jobs||Approximate response time|
|Upload a document for processing and see it available in the processing queue||2.5 seconds per page|
|Create a campaign with a cover letter and two certificate requests||7 seconds per customer record|
|Create a campaign with only cover letters||2 seconds per customer record|
|Create a report and see it ready for download in the Download Center||30 seconds for 1,000 report responses
5 minutes for 25,000 report responses
|Time it takes to... for REST API jobs||Approximate response time|
|Send ID-based Get request from a third-party application and receive a response||250 milliseconds|
|Send search-based Get request from a third-party application and receive a response||500 milliseconds|
|Send create/update/delete request from a third-party application and receive a response||500 milliseconds|