Apricot Security and Hosting
Updated over a week ago

Bonterra takes comprehensive measures to ensure that data is kept safe, confidential and recoverable in the case of a disaster. Bonterra's office sits behind a firewall which extensively controls, tracks, and reports access to our internal infrastructure. Our software meets current HUD Domestic Violence, HMIS, and Social Security Administration data management and security protocols, as well as minimum required FERPA and HIPAA standards.

Data Security

Apricot® uses usernames and passwords to prevent unauthorized access and to

restrict user access within the application. Each unique user account is assigned access to programs and permission sets to restrict access to data and features in the system. Customer data is housed in two locations (U.S. at https://apricot.socialsolutions.com, Canada at https://apricotsoftware.ca, and Australia at https://apricot.socialsolutionsau.com) based on the location of the client. Data is stored using redundant AWS hardware technologies, Bonterra fault-tolerant software, and journaling file systems.


Bonterra uses state-of-the-art equipment and technology to safeguard the confidential nature of your data. Your data is automatically encrypted while in transit between your computer and our servers as well as while in the database. Users access Apricot® software web application servers via secure HTTPS connection.


Our SOC 2 Type 2 (SSAE18) report is a comprehensive document that describes Bonterra security controls in the domains of Administrative, Physical, and Technical security. Apricot is certified SOC 2 Type II compliant. Bonterra security controls are reviewed by independent external auditors for Apricot to maintain SOC 2 Type II compliance.

Server Security

Each of our servers is individually governed by a system that is designed to prevent unexpected Internet data from being processed by our server software. Intrusion Detection/Prevention (IDS/IPS), Web Application Firewall (WAF), virus scanning, automated system checks, and remote logging guard against unauthorized access. AWS implements electronic surveillance and multi-factor access control systems to secure its data centers. Data centers are staffed 24x7 by trained security guards, and access must be strictly authorized. Multiple availability zones allow Apricot to remain resilient in the face of most failure modes, including natural disasters or system failures. In case of a disaster in our main AWS region, Social Solutions will have Apricot up and running between 24-48 hours in a backup AWS region.

Redundant Infrastructure and Backups:

  • 24/7/365 monitoring of up-time across the infrastructure

  • Redundant water, power, telecommunications, and internet connectivity to maintain continuous operations 

  • Uninterrupted power supply to reduce possible service outages

Retention Policy

  • Encrypted backups are retained for 13 months as a part of our automated data lifecycle.

Apricot Compliance Reports

  • SOC 3

  • SOC 2 Type II

  • HIPAA Assessment Type I

AWS Common Compliance Standards


  • Are set to have a minimum length of 12 characters. This can be increased by the application administrator.

  • Are set to expire at a minimum of 30 days. This can be increased by the application administrator.

  • Are set to contain at least:

    • 1 uppercase letter

    • 1 lowercase letter

    • 1 symbol

    • 1 number

  • The last 24 passwords cannot be reused

  • Must be reset at least every 365 days

  • Can be locked after a set number of invalid login attempts

  • Masked upon entry

  • Stored in cryptographically strong, one-way salted hashes

  • Can be changed by an application administrator

Did this answer your question?