Security Policy

Overview

Our platform is your platform and we take security very seriously. In addition to our Privacy Policy, which governs the way we use data on our platform, we have a robust security program to ensure that nobody else can gain access to our systems, data, or software.

Our security program evaluates, monitors and improves the security posture of our underlying systems on a regular basis. The program is comprised of technology (software) and as well as policies (legal agreements) and procedures.

Data Protection

Encryption standards for data in transit and at rest:

Data in transit: We use Transport Layer Security (TLS) to encrypt all data transmitted over networks. This includes client-server communications and inter-server data transfers.

Data at rest: We implement AES-256 encryption for all stored data, including databases, file systems, and backups. This ensures that data remains secure even if physical storage devices are compromised.

Key management: We use a robust key management system to generate, store, and rotate encryption keys securely. Keys are rotated regularly to maintain the highest level of security.

Hosting & Network Security

Our platform is hosted on Amazon Web Services (AWS) in Sydney, Australia. We leverage AWS’s robust infrastructure to ensure high availability, scalability, and security for our services. Key aspects of our AWS hosting solution include:

Availability Zones: We utilize multiple Availability Zones within the Sydney region to provide redundancy and fault tolerance. This approach minimizes the risk of service disruptions due to localized issues.

AWS Global Infrastructure: While our primary hosting is in Sydney, we benefit from AWS’s global network of data centers and edge locations, enabling content delivery and disaster recovery capabilities if needed.

Elastic Compute Cloud (EC2): We use EC2 instances to host our application servers, allowing us to scale our computing resources based on demand.

We utilize Amazon Web Services (AWS) Virtual Private Cloud (VPC) to enhance our network security. Here’s an overview of our VPC implementation:

Isolated network: Our VPC provides a logically isolated section of the AWS Cloud where we launch our resources in a virtual network that we define.

Subnets: We configure public and private subnets within our VPC to segregate resources based on their internet accessibility requirements.

By leveraging AWS’s robust infrastructure, we ensure our platform benefits from industry-leading security measures, including physical security at data centers, network security, and compliance with various international standards and certifications. More information on AWS security can be found here.

Access Control

We implement rigorous security protocols to safeguard sensitive information. We utilize a centralized password management system to enforce robust password practices across the entire team. This system ensures that all passwords meet stringent complexity requirements and are regularly updated.

We strictly adhere to the principle of least privilege, which means that team members are granted access only to the specific data and systems necessary for their roles. This minimizes the risk of unauthorized access and potential data breaches.

Multi-factor authentication (MFA) is mandatory for all staff members and contractors without exception. This additional layer of security significantly reduces the risk of unauthorized access, even if passwords are compromised.

Redundancy & Resilience

Our server side architecture is designed for scale and redundancy with daily backups, load balancing, and cross-region replication. Through auto-scaling functionality, we’re able to add additional servers on-demand to ensure the highest levels uptime, response time and performance.

Logging & Monitoring

We conduct system and application logging of all interactions, including access to APIs, giving us the ability to quickly investigate issues and identify concerns. We have a comprehensive network monitoring program in place with alarms to notify key personnel in the event of an outage, attack or breach.