Folio Security Statement

Last updated: 28 June 2019

 

We make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner.

This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

  • Folio is hosted in Australia on Amazon Web Services’ Scalable, Fault Tolerant infrastructure. Additional server resources are deployed as required to ensure the availability and responsiveness of the application.
  • Data is partitioned into per client schemas with strict database access policies.
  • Folio’s role based security policy enforces user actions based on their credentials.
  • User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
  • SSL encryption ensures enhanced security for your sensitive data in transit.
  • Data, attachments and backups are encrypted at rest.
  • Attachments are scanned for viruses upon upload and if any are detected Kwela Solutions staff are alerted and will take appropriate action.

 

Amazon Web Services – Security Credentials

 

We use Amazon Web Services EC2 and S3 Simple Storage Service hosted on AWS infrastructure in Australia. AWS has several security related certifications, third party attestations and reports that relate to their service in Australia. These include:

 

SOC1/ ISAE3402

Amazon Web Services publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with AICPA: AT 801 (formerly SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).

This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. The SOC 1 report audit attests that the AWS control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively.

 

SOC2/ SOC3

In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as AWS. The AWS SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into AWS security based on a defined industry standard and further demonstrates AWS’ commitment to protecting customer data.

SOC 3 report is a publically available summary of the AWS SOC 2 report and provides the AICPA SysTrust Security Seal.

 

ISO 27001

AWS is ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.

 

IRAP (Australia Specific)

An independent assessor from the Information Security Registered Assessors Program (IRAP) audited Amazon Web Services. The assessment examined the security controls of Amazon’s people, process and technology to ensure that they met the needs of the Australian Signals Directorate (ASD)Information Security Manual (ISM).

This gives Australian government organizations increased confidence when utilizing AWS to take advantage of the benefits of cloud computing, and builds on AWS’s existing Compliance reports, such as SOC1, SOC2, and ISO27001.

 

Backups and Disaster Recovery

 

All client data is mirrored in real time between a master-slave database and backups are archived on a daily basis to Amazon S3 Simple Storage, daily backups are retained for 35 days.

In the event of a disaster, processes are in place that automatically rebuild our server infrastructure and redeploy client instances. Disaster Recovery processes are regularly tested.

 

Network Security

 

  • Continuous uptime monitoring, with immediate escalation to Kwela Solutions staff for any downtime.
  • System functionality and design changes are verified in an isolated testing environment and subject to functional and security testing prior to deployment to active production systems.
  • Servers require public key encryption and are firewalled with IP restrictions.
  • Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
  • Central logging systems capture all internal systems access including any failed authentication attempts.

 

Organizational and Administrative Security

 

  • We conduct background reference checks on all employees.
  • We bind service providers who deal with user data to appropriate confidentiality obligations.
  • Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.
  • We maintain and monitor audit logs on our services and systems

 

Handling of Security Breaches

 

Despite our best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Kwela Solutions learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our legal and regulatory obligations. Notification procedures include providing email notices if a breach occurs.

 

Your Responsibilities

 

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any data you download to your own computer systems secure.

 

For More Information

 

Contact Kwela Solutions on (02) 8283 2190 or via email on info@kwelasolutions.com