Our Cybersecurity
Information Engine™: Secure and Reliable
At D2K Information, we take security very seriously. We have developed a comprehensive set of practices and technologies to help ensure the reliability, security and protection of our systems and your data and all our products within Information Engine™.
Our security protocols
Our information security policies and practices are based on ISO27001, the Australian Government Information Security Manual, the New Zealand Information Security Manual (NZISM), and ACSC cyber security principles and guidelines including the Essential Eight Model.
To meet Australian and NZ privacy legislation all data is stored in Australia and we adhere to the Australian Privacy Principles (APPs) and Privacy Act 1988 (Privacy Act) and the New Zealand Information Privacy Principles (IPPs).
1. You own your data
Your organisation owns the form response data and file upload data. D2K Information accesses data only at your request and/or with your permission. To protect your data from unauthorised access, we have implemented suspicious activity alerts.
You can download your information or request deletion of your information from our system at any time.
2. Password and authentication
All our Information Engine™ products enforce strong passwords, with user lockout after several failed log in attempts.
Enterprises are encouraged to have Information Engine™ products integrated with their corporate identity provider (e.g. AzureAD), and control password and 2FA policies at their end.
3. Physical security
All Information Engine™ products run in a containerised environment hosted on Amazon Web Services (AWS). We made a strategic choice to use the world’s leading cloud IT infrastructure provider that provides a high performing, robust and secure infrastructure set to meet the needs of our users. We also follow the advice from New Zealand’s National Cyber Security Centre on Securing Amazon’s Web Services.
AWS manages the provision and management of servers and ensures application isolation by design.
All the servers and software that run D2K infrastructure, are monitored, patched, secured and restricted by AWS itself. The service provided by AWS meets the standards for PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3.
Information Engine™ code and dependencies are scanned for vulnerabilities as part of our continuous integration and deployment pipeline.
Built containers are scanned for vulnerabilities by AWS
4. Network security
Our network security helps protect your data against the most sophisticated electronic attacks. Network security practices include Firewalls and other boundary devices, TLS encrypted communication, intrusion detection/prevention systems, control and audit and virus scanning.
Data in transit is protected by TLS 1.2+ to provide end-to-end communication security.
5. Application security
Web Application Firewalls are in place to monitor and control web traffic at the application level. We employ only best practice coding and have constructed our products so that every account is isolated. We have safeguards in place to detect common attacks such as SQL injection, cross-site scripting, cross site request forgery and more.
We engage third parties to perform regular audits and penetration testing against our applications. These are run on an annual basis with frequency increased if there are significant changes.
6. Redundancy and business continuity
We have designed our systems and infrastructure with high availability and redundancy in mind. This includes backup, mitigation and handling in case of server failure, power failure, fire or other disaster.
Information Engine™ has a business continuity and disaster recovery plan that allows customers to continue to run our products in the unlikely event of an outage.
7. Data backup and replication
Daily snapshots are taken of our application database cluster. These daily backups are stored for at least 30 days.
Data backups are also encrypted using AES-256.
8. Security monitoring and testing
Our application is configured for appropriate logging of activities to enable detection of security incidents. These incidents are reviewed and identified anomalies are investigated for a possible compromise. All logged activities are sent to a centralised logging infrastructure for audit purposes.
Internal Vulnerability Scans are run constantly.
Penetration testing for our products, network, and segmentation are run on at least an annual basis by a third-party security consultant.
D2K Information has the flexibility to run security testing more frequently if required, e.g. as a result of significant changes.
9. Employee access
Access to IT assets is granted to D2K Information employees on the ‘Need to Know’ and ‘Least Privilege’ principles.
We will only access your data at your request. To protect your data from unauthorised access, we have logs with alerts set to notify us of suspicious activity.
Background checks are conducted for all personnel engaged in delivering service to customers. These include thorough police checks as well as specialised background checks where relevant.
10. Incident response and data breach response
D2K Information has documented Incident Response and Data Breach Response Plans which outline the processes to respond to security events and incidents, including breaches of personal or protected data.
11. Risk management
Our organisation addresses cyber security risks in our risk management processes to identify critical assets, threats, and vulnerabilities.
D2K Information performs risk-based due diligence on new and existing vendors to determine if the vendor is using appropriate technical controls and organisation measures to protect data.
12. Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
As part of our High Availability setup, we use multi availability zone data replication to provide additional resilience and support low RPO and RTO requirements.
13. Testing
We use a rigorous set of testing processes and tools to mitigate potential issues that can be introduced by human error or changes in external factors that are out of our control. These include functional testing, usability testing, compatibility testing, performance testing and security testing.
14. Privacy Policy
We respect your personal information and are committed to protecting it when providing products and services to you.
Our privacy policy has been developed in line with the Australian Privacy Principles, Privacy Act, the New Zealand Information Privacy Principles, EU’s General Data Protection Regulations (GDPR), and the U.S. Privacy Shield.
15. Compliance
D2K uses a third-party company for security auditing and compliance. This ensures D2K follows all current and future protocols to stay secure. We test and evaluate our security policies and practices regularly.
Document History
| Item | Information | |
| Document | Information Engine™ Security Summary Sheet | |
| Version | RevF | |
|
Authors |
Angel Abad Cerdeira | Systems Architect |
| James Lucas | Senior Developer | |
| Date | 26 September 2023 | |
| Reviewed by | Phil Krasnostein | Director |
| Approved by | Matt McGuire | CEO |
