Last updated: 20 March 2024
This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
As part of our information security strategy Kwela Solutions is certified under ISO/IEC 27001:2022.
ISO/IEC 27001:2022 is a security management standard that specifies security management best practices and comprehensive security controls. The basis of this certification is the development and implementation of a rigorous security program, which includes the implementation of an Information Security Management System (ISMS) which defines how Kwela manages information security.
We use Amazon Web Services EC2 and S3 Simple Storage Service hosted on AWS infrastructure in Australia. AWS has several security related certifications, third party attestations and reports that relate to their service in Australia. These include:
Amazon Web Services publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with AICPA: AT 801 (formerly SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. The SOC 1 report audit attests that the AWS control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively.
In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as AWS. The AWS SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into AWS security based on a defined industry standard and further demonstrates AWS’ commitment to protecting customer data.
SOC 3 report is a publically available summary of the AWS SOC 2 report and provides the AICPA SysTrust Security Seal.
AWS is ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.
An independent assessor from the Information Security Registered Assessors Program (IRAP) audited Amazon Web Services. The assessment examined the security controls of Amazon’s people, process and technology to ensure that they met the needs of the Australian Signals Directorate (ASD)Information Security Manual (ISM).
This gives Australian government organizations increased confidence when utilizing AWS to take advantage of the benefits of cloud computing, and builds on AWS’s existing Compliance reports, such as SOC1, SOC2, and ISO27001.
All client data is mirrored in real time between a Primary-standby database and backups are archived on a daily basis to Amazon S3 Simple Storage, daily backups are retained for 35 days.
In the event of a disaster, processes are in place that automatically rebuild our server infrastructure and redeploy client instances. Disaster Recovery processes are regularly tested.
Despite our best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Kwela Solutions learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our legal and regulatory obligations. Notification procedures include providing email notices if a breach occurs.
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any data you download to your own computer systems secure.
For More Information
Contact Kwela Solutions on (02) 8283 2190 or via email on info@kwelasolutions.com