Better Health for All

AvePoint's core business involves data management software, which does not directly provide health products or services, resulting in a neutral impact for many health-related KPIs. However, the company demonstrates strong performance in healthcare data responsibility. Its Confidence Platform helps healthcare organizations identify and remediate data security risks, including oversharing and misconfigured permissions.

The platform supports compliance with regulations such as the Australian Privacy Principles, Health Records Act 2001, Privacy Act 1988, Notifiable Data Breaches (NDB) scheme, and HIPAA. AvePoint's solutions are certified with ISO 27001, SOC 2 Type II, and have achieved IRAP assessment at the PROTECTED level. The company's solutions enable comprehensive backup and quick recovery of health data, including encryption in transit and at rest, and assist in retaining data from clinical trials for required periods. Case studies show data recovery times reduced by 85% and from up to a day to mere minutes, and a 20% reduction in maintenance costs and helpdesk tickets for a major academic healthcare system.

Fair Money & Economic Opportunity

AvePoint, Inc. is a software company providing data management solutions, not a financial institution.

The company does not offer lending or deposit services, consumer credit products, or manage customer financial data. Therefore, all KPIs related to financial services, such as underserved client share, pricing fairness, exploitative fee exposure, inclusion initiatives (in the context of loan/insurance books), data accessibility (for financial data), fair lending compliance, wealth building outcomes, profit reinvestment in community finance, financial literacy initiatives (as a financial service provider), debt burden ratio, geographic inclusion (for financial access points), and product simplicity (for financial products), are not applicable to its core business model. The evidence provided does not contain specific, concrete data points for any of these KPIs in the context of financial services.

Honest & Fair Business

The company has a formal whistleblower policy, the 'Open Door Policy for Accounting Matters and Legal Allegations,' updated August 20, 2024, and effective June 10, 2025.

This policy outlines procedures for reporting accounting/auditing matters and suspected illegal activities, includes confidentiality, protection against retaliation, and offers anonymous reporting mechanisms via web, app, phone, email, and fax. It also details procedures for investigation and board reporting. The Code of Ethics and Business Conduct explicitly addresses the FCPA, prohibiting bribery of foreign and domestic officials, and includes record-keeping and internal controls requirements. However, there is no evidence regarding the frequency of training or effectiveness metrics for this anti-corruption policy.

No War, No Weapons

AvePoint generally does not produce, receive, or export defense items, indicating no defense or arms-related activities in its core business.

Consequently, there are no defense assets to divest and no defense business for the board to oversee. The company has an Export Control and Trade Sanctions Compliance Policy that prohibits transactions with High Risk Sanctioned Countries (Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine) unless authorized by a Compliance Officer, which represents robust compliance controls. The company's products and technology, including those with encryption functionality, are controlled under Export Control Laws, including the E.U. Dual-Use Regulation, and it prioritizes civilian uses by restricting end-uses related to chemical, biological, or nuclear weapons, missiles, military activities, terrorism, or cyber surveillance by repressive regimes. This policy also serves as a safeguard against controversial weapons. AvePoint has a Global Human Rights Policy and a Supplier Code of Conduct, with personnel required to be alert to red flags for prohibited end-uses, indicating adherence to enhanced humanitarian procurement standards. The company screens parties before onboarding and periodically thereafter, which translates to human-rights due diligence every 2-3 years in high-risk zones and annual partner reviews without substantive action. AvePoint also has a Responsible AI Charter, but no specific details are provided on military use safeguards, leading to an N/A score.

Planet-Friendly Business

The provided articles, including the company's corporate responsibility report, explicitly state a lack of specific quantitative data for AvePoint, Inc. regarding environmental impact metrics, regulatory actions, violations, fines, certifications, awards, or recognitions.

The articles discuss general environmental impacts of data storage but do not provide any company-specific data relevant to the requested metrics.

Respect for Cultures & Communities

AvePoint has established at least 16 formal partnerships with local community groups and charities, including 6Degree.org, International Organization for Migration (IOM), The Salvation Army, WordHelp, Mary's Place, Girls Giving Back, Gates Philanthropy Partners, Covenant House, ByteBack, Boston Children’s Hospital, The Minneapolis Foundation, Patriots and Paws, Groundswell Community Project, Save the Children UK, Jersey Cares, and Hamodova Café.

The company provides an anonymous reporting hotline, effective August 20, 2024, accessible via website, app, and toll-free telephone numbers in English, Spanish, and French. This indicates grievance mechanisms are available across multiple operational regions. The company's business model does not inherently involve activities that would lead to cultural appropriation incidents, cultural impact, FPIC processes, cultural site disruptions, or require a social license to operate. However, the provision of its anonymous reporting hotline in only three languages (English, Spanish, and French) despite operating globally with over 21,000 customers suggests limited local language incorporation, resulting in a language inclusivity score between 35-50/100.

Safe & Smart Tech

AvePoint has implemented an AI policy that aligns with the NIST AI Risk Management Framework and established an AI Governance Committee for oversight.

Its AI systems are designed to serve all users equitably, actively working to eliminate biases and promote inclusivity. The company holds multiple certifications including ISO 27701:2019, ISO 27001:2022, ISO 27017:2015, SOC 2 Type II, CSA STAR Level 2, FedRAMP Moderate, IRAP, and the Data Protection Trustmark (DPTM) Certification. AvePoint requires third-party vendors to have SOC II, type 2 or equivalent certifications. The company has a documented mandatory information security and privacy training and awareness program, including general awareness and role-specific training. Data is encrypted using TLS 1.2 in transit and AES 256 at rest, with customers having the option to use their own encryption key (BYOK) and storage (BYOS). Data processed by AI systems is encrypted during processing. AvePoint will identify and document AI risks from design through deployment and conduct risk assessments. AI systems are designed to be transparent, allowing users to understand how decisions are made. Customer data is only used to provide agreed-upon services and is never used to train or fine-tune AI models unless explicitly opted in. Customers own their data, which is preserved for 15 days after subscription termination and made available upon request. Multi-factor authentication is employed for administrative access to systems supporting customer applications and is required for all users of Internet-facing applications that permit financial instructions/transactions or display personally identifiable information. Critical and high-rated vulnerabilities are patched within 30 days of patch availability. AvePoint acknowledges receipt of vulnerability reports within seven days and responds to properly formatted reports within seven days. The company performs annual penetration tests of its products and web application assessments of public-facing systems. AvePoint configures all systems for least privileged access to limit access to customer information. The company is a corporate member of the International Association of Privacy Professionals (IAPP) and has partnered with the Center for Information Policy Leadership (CIPL).