# Security and Compliance Advo360 is cloud-hosted in U.S.-based data centers with enforced multi-factor authentication, role-based access controls, encryption, session management, and account protection. Your funders will ask about this. Your board will ask about this. Your IT evaluator will ask about this. Here are the answers. --- ## What this means in plain language Your staff are not guessing who can see what. Your funders are not hearing vague reassurances about data security. Your organization is not relying on informal workarounds to protect records that could endanger someone if they were exposed. Every user proves their identity with a second factor before they access anything. Every session locks after inactivity. Every record is encrypted. --- ## Infrastructure U.S.-based cloud infrastructure. Our hosting provider holds SOC 1, SOC 2, ISO 27001, and FedRAMP compliance certifications. ## Authentication TOTP multi-factor authentication required for every user. No exceptions. Enforced at the platform level. ## Access Control Configurable permission levels structured to match your organization's hierarchy. Each user sees only what their role requires. ## Session Security Automatic session timeout after inactivity. Re-authentication required. Timeout duration is configurable per organization. Designed for shared office environments common in advocacy settings. ## Account Protection Lockout after repeated failed login attempts. ## Password Requirements Minimum length and complexity requirements enforced. ## Data Encryption AES-256 encryption at rest. HTTPS/TLS encryption in transit. All data is encrypted using the same standard required by U.S. federal agencies for the protection of sensitive information. ## Database Modern database architecture with parameterized queries to prevent injection attacks and non-sequential identifiers to prevent enumeration. ## Development Practices Version-controlled codebase with full change tracking. Built on a modern, security-hardened application framework with input validation, CSRF protection, and secure session handling. ## Data Deletion Built-in deletion request system. Soft deletion preserves audit integrity. Full deletion available upon request. ## FAQ **Where is our data stored?** U.S.-based cloud data centers. **Can users be required to use MFA?** MFA is required. It is not optional. **How do you handle data deletion requests?** Through the platform. Soft deletion is immediate. Full deletion on request. **Is Advo360 HIPAA compliant?** Advo360 meets HIPAA technical safeguard requirements including access controls, audit logging, encryption in transit and at rest, and authentication. A Business Associate Agreement is available for organizations that require one. **Can you provide documentation for grant applications?** Yes. This page and additional technical documentation are available in grant-ready formats. --- The organizations you serve trust you with their most sensitive information. Your technology should justify that trust. [Request a Demo](/contact)