APPLICATION SECURITY & TECH OPS OVERVIEW

‍

We believe the security of your information is a serious issue and we are committed to protecting the information we receive from you. We use a range of security measures to protect against the loss, misuse, and alteration of your information under our control based on the type of Personal Data and applicable processing activity. These security measures include data encryption in transit, data encryption at rest and enforcement of least privilege and need-to-know principles.

‍

We follow and adopt, where applicable, industry-best practice and market-leading security tools to protect customer and business data. Our experienced IT Operations and Security team manage all areas of data, network, system and application security, including 24×7 monitoring and alerting. Some of the industry best practice security measures we employ in all of our environments:

‍

Cloud hosted environment

‍

We deliver products and services to our clients via a global third-party cloud platform accredited with industry-recognised certifications, including FedRAMP, ISO, SOC, PCI, and more. The cloud platform is also compliant with numerous regulations, privacy standards, and frameworks, including HIPAA, HITECH, GLBA, the EU Data Protection Directive, EU-US Privacy Shield, FISMA.

Our cloud services providers have been selected to ensure that we can host and deliver services in whichever region our clients require and comply with any data transmission restrictions and storage restrictions.

As part of our on-going commitment to our clients we monitor changes in legislation and adapt our delivery mechanisms appropriately in collaboration with our clients.

‍

Encrypted transmission

‍

All browser connections and communications are transmitted over SSL (TLS), ensuring data privacy and integrity of data transit. Our servers only permit and support 128- or 256-bit cypher suites over TLS 1.2 or higher, protecting against unauthorised disclosure, modification, and replay attacks.

‍

Encryption of authentication and session data

‍

All authentication and session data are encrypted with AES-256, ensuring your account credentials and sessions remain protected and unreadable in a stored state.

‍

Encrypted transmission

‍

All authentication and session data are encrypted with AES-256, ensuring your account credentials and sessions remain protected and unreadable in a stored state.

‍

Penetration testing and red-team assessment

‍

Our client environments undergo rigorous, annual third-party penetration testing and red-team assessment to replicate the most malicious modern hacking attacks to ensure our infrastructure can proactively identify and repel penetration attacks.

‍

Web application firewall

‍

Every client environment is protected with an enhanced web application firewall capable of detecting and blocking advanced payloads and attacks.

‍

Distributed denial of service (DDoS) protection

‍

Our cloud-based DDoS protection automatically detects and mitigates all types of layer 3, 4, and 7 attacks on our network and can repel 99.9% of all DDoS attack types.

‍

Intrusion detection and prevention

‍

Our client environments are equipped with the latest in network security monitoring and prevention tools. All tools are specifically designed to detect and prevent malicious attacks against our clients and our services.

‍

Dedicated web, app, and database tier

‍

Dedicated single-tenant presentation, application, and database tiers provide complete isolation of customer data flow from browser to database.

‍

ORGANIZATIONAL SECURITY

‍

We have established an industry-leading security program dedicated to ensuring customers have the highest confidence in our handling of their data and information. Our security program is aligned to the SOC II and NIST cybersecurity standards and is regularly audited and assessed by third parties and customers. We are SOC II type 2 certified.

‍

Personnel security

‍

Our personnel practices apply to all members of the our team (“staff”)—regular employees and independent contractors—who have direct access to our internal information systems (“systems”) and / or unescorted access to our office space. All workers are required to understand and follow internal policies and standards.

Before gaining access to systems, all staff must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Security training for staff is refreshed on an annual basis and conducted more frequently (as applicable).

Upon termination, staff are deprovisioned and access to our systems is immediately revoked and confidentiality obligations re-iterated.

‍

Security and privacy training

‍

During their tenure, all staff are required to complete a refresh of privacy and security training at least annually. Our staff are also required to acknowledge that they’ve read and will follow our info and cybersecurity policies and code of conduct. Some staff, such as engineers, operators and support personnel who may have privileged access to systems or data, will receive additional job-specific training on privacy and security. Staff are required to report security and privacy issues to appropriate internal personnel.

‍

Dedicated security professionals

We have defined roles and responsibilities to outline which roles in the organisation are responsible for operating our Information Security Management System (ISMS). This team comprises members of our Engineering and Security Operations Team, focusing on Product Security, Security Operations, Incident Response Teams, and Risk, Compliance & Legal.

‍

Together, this team divides responsibilities for key aspects of our security program, as follows:

‍

Product Security

• Establish secure development practices and standards
• Ensure project-level security risk assessments
• Provide design review and code review security services for detection and removal of common security flaws
• Train developers on secure coding practices
• Coordinate application penetration testing
• Manage vulnerability scanning and remediation

‍

Security Operations

• Build and operate security-critical, infrastructure including our public key infrastructure, event monitoring, and authentication services
• Maintain a secure archive of security-relevant logs
• Consult with operations personnel to ensure the secure configuration and maintenance of our production environments

‍

IRT (Incident Response Team)

• Respond to alerts related to security events on our systems
• Manage security incidents
• Acquire and analyse threat intelligence

‍

Risk, Compliance & Legal

• Coordinate regular risk assessments, and define and track risk treatment
• Manage the security awareness program
• Coordinate audit and maintain security certifications
• Respond to customer inquiries
• Review and qualify vendor security posture

‍

POLICIES & STANDARDS

‍

We maintain a set of policies, standards, procedures and guidelines (“policies & procedures”) that provide our staff with the guidance and rules for operating our ISMS. Our security policies & procedures help ensure that our customers can rely on our staff to behave ethically and for our service to operate securely. These policies & procedures documents include, but are not limited to:

‍

• Cybersecurity policy
• Access Control Policy
• Asset Management Policy
• Business Continuity & Disaster Recovery
• Code of Conduct
• Cryptography Policy
• Data Management Policy
• Human Resource Security Policy
• Incident Response Plan
• Information Security Policy
• Information Security Roles & Responsibilities
• Operations Security Policy
• Physical Security Policy
• Risk Management Policy
• Secure Development Policy
• Third-Party Management Policy

‍

These policies are living documents: they are regularly reviewed and updated as needed and made available to all staff as applicable.

‍

AUDITS, COMPLIANCE & THIRD-PARTY ASSESSMENTS

We operate a comprehensive information security program designed to address security standards. Please contact your Account Executive for more information about the security standards that we complies with and to request copies of available reports and certifications.

‍

Audits

‍

We evaluates the design and operation of our overall ISMS for compliance with internal and external standards. We also currently have software for live monitoring of our internal compliance, info risk and control environment to ensure any issues are flagged in real time and resolved by the appropriate responsible party.

‍

Penetration testing

‍

We engage independent, industry-leading cybersecurity firms to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with our senior management team and staff as required. Our infosec team review and prioritise the reported findings and tracks any identified issues through to resolution. Customers wishing to conduct their own penetration test of our platform and associated solutions may request to do so and contact their Account Representative to obtain permission from us.

‍

Legal compliance

‍

We have access to legal and compliance professionals with extensive expertise in data privacy and security. These professionals’ contributions are embedded in the development lifecycle and review of products and features for compliance with applicable legal and regulatory requirements. We also have a code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values and defines standards for meeting those goals.

‍

Data requests

‍

We receive requests from clients to disclose or delete data other than in the ordinary operation and provision of the Services. Our Privacy Policy addresses and details how we handle requests of this nature and clearly outlines our policies and procedures for responding to such requests for customer data.

‍

‍

SECURITY BY DESIGN

‍

‍

Secure development lifecycle

‍

We assess the security risk of each software development cycle according to our Secure Development Policy & internal guidelines. Before completion of the design phase, we undertake an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages both the OWASP Top 10 and our product security experience leading to categorising every project as High, Medium, or Low risk. Based on this analysis, we create a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For our web application, we operate continuous automated static analysis using advanced tools and techniques. Significant defects identified by this process are reviewed and followed to resolution by the Engineering and Security Team.

‍

PROTECTING CUSTOMER DATA

‍

The focus of our security program is to prevent unauthorised access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all our teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve how we protect customers’ data.

Data encryption in transit and at rest

We transmit data over public networks using strong encryption. This includes data transmitted between our clients and the our applications, services & systems. We support the latest recommended secure cypher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients. We monitor the changing cryptographic landscape and as required, upgrade our cipher suite choices as the landscape changes while also balancing the need for backward compatibility.

‍

Network security

‍

We divides our systems into separate networks to better protect client sensitive data and content. Systems supporting testing and development activities are hosted in a separate network from systems supporting our staging and production environments. Customer data submitted into our environments is only permitted to exist in our staging and production environments which are our most tightly controlled components within our infrastructure. Admin access to systems within the staging and production network is limited to specific staff and engineers with a specific business need and if related to a specific business need, access for staff will be deprovisioned as the business need is completed.

‍

Classifying data and inventory management

‍

We classify data and content into different levels to better protect the data in our platform and specifies the labelling and handling requirements for each of those classes. Our ISMS considers data classifications in its encryption standards, its access control and authorisation procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.

Data classifications are maintained as part of the asset management process. We maintain an inventory of hardware, software and data assets at least annually to enforce correct data classification levels. We restrict the flow of data to ensure that only appropriately classified systems may contain Customer data.

‍

Authorizing access

‍

To minimize the risk of data exposure, we follow the principle of least privilege—staff are only authorized to access data that they reasonably must handle and have access to fulfil their current job responsibilities. To ensure that the application of the principle of least privilege, we use the following measures:

All systems used by us require staff to authenticate before providing access. Staff are authenticated into systems via SSO (as the preferred authentication method) and username, password with MFA enabled where SSO is not possible.

Access levels are reviewed at least quarterly to ensure the access granted is still appropriate for the user’s current job responsibilities.

Staff may be granted access to a small number of internal systems by default upon hire. Access and provisioning requests follow a documented process where they are requested and are approved by the responsible owner or manager.

‍

Authentication

‍

To further reduce the risk of unauthorised access to data, we use multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, we uses SSO for authentication. Where passwords are used, multi-factor authentication is enabled for access to higher data classifications. Our password policy requires passwords to be complex (auto generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).

‍

System monitoring, logging and alerting

‍

We monitor servers, workstations and mobile devices to retain and analyse a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands and system calls on all servers in our production network are logged.

Our IT Operations and Security team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the IT Operations and Security Team. Logs are protected from modification and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.

‍

Endpoint monitoring

‍

Our workstations and devices run various monitoring tools that may detect suspicious code or unsafe configuration or user behaviour. Our IT Operations and Security Team continually monitors workstation alerts and ensures significant issues are resolved in a timely fashion.

‍

Mobile device management

‍

Mobile devices that are used to transact company business are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet our security standards.

‍

Responding to security incidents

‍

We have established policies and procedures for responding to potential security incidents. Our Incident Response Team (IRT) manages all incidents. We define the types of events that must be managed via the incident response process based on severity. Incident response procedures are tested and updated at least annually.

‍

Data and media disposal

‍

We delete information from current production systems at client’s request.. We follow industry standards and advanced techniques for data destruction. We define policies and standards requiring media be properly sanitized once it is no longer in use. Our cloud services providers are responsible for ensuring the removal of data from disks allocated to our use before they are repurposed.

‍

Workstation security

‍

All workstations issued to workers are configured by us to comply with our standards for security. These standards require all workstations to be properly configured, kept updated, run monitoring software and be tracked by our IT Operations and Security Team. Our default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle.

Workstations run up-to-date monitoring software to report potential malware and unauthorised software and mobile storage devices as well as tracking in real time if hard drive encryption, screenlocks and antiviruses are active and up to date.

‍

Controlling system operations and continuous deployment

‍

We take a variety of steps to combat the introduction of malicious or erroneous code into our operating environment and protect against unauthorised access.

‍

‍

Controlling change

‍

To minimise the risk of data exposure, we controls changes, especially changes to production systems, very carefully. We apply change management procedures to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

‍

‍

Server hardening

‍

New servers deployed to production are hardened in accordance with security best practice (CIS benchmark framework). All unneeded services are disabled, default passwords are removed, and our custom configuration settings are applied to each server before use.

‍

DISASTER RECOVERY AND BUSINESS CONTINUITY

‍

We utilize services provided by our cloud services and infrastructure providers to distribute our production operation across multiple separate locations (as required, subject to data residency requirements). These locations provide our service with redundancy from loss of connectivity, power, infrastructure, and other common location-specific failures. Client environments are replicated among these discrete operating environments to ensure the availability of our service in the event of a location-specific catastrophic event. Full backups are saved to remote locations continuously. We tests backups to ensure they can be correctly restored.

‍

THIRD-PARTY SUPPLIERS & SERVICE PROVIDERS

‍

To run our business efficiently, we rely on sub-contractors and service providers. Where these organizations may impact our production environments’ security, we take appropriate steps to ensure its security posture is maintained. We establish agreements that require service organisations to adhere to confidentiality commitments we have made to our clients. We monitor the effective operation of the organization’s safeguards by conducting reviews of its controls before use and at least annually.

‍