SafetySuite understand, and have extensive experience in, the process of risk management, and we apply that knowledge to the security of your information.
SafetySuite Pty Ltd (SafetySuite) provides WH&S business processes to its customers, that by its very nature, requires the processing and storage of sensitive information. SafetySuite is committed to protecting the information of its customers and preventing unauthorised disclosure, use, modification, or access to such information stored within SafetySuite.
Our Security for your Security
We recognise the importance of appropriate information security policies and procedures to protect the security of customer data. This document summarises the controls embodied in the program, including some specific information concerning encryption, access control, and authentication.
SafetySuite protects customer information from loss, misuse, and unauthorised access, disclosure, alteration, or destruction by employing industry standard safeguards to implement the control objectives of our service.
SafetySuite operates in a manner specifically designed to maintain reasonable and appropriate administrative, physical, and technical safeguards to:
Provide assurances of the integrity and confidentiality of customer information,
Protect against any reasonably anticipated threats or hazards to the security or integrity of customer information, and unauthorised uses or disclosures of customer information,
Maintain compliance within the legal framework of requirements for the privacy and security of customer information.
Identity & Authentication
SafetySuite maintains reasonable and appropriate access control and authentication safeguards to control access to customer information by adhering to a robust authentication policy. Users are authenticated by either their organisation’s IdP (Identity Provider) or the authentication service provided in SafetySuite Cloud Service.
Our services have built-in integration with SAML Single Sign On (SSO) services, support Active Directory, Federated Access Controls and MFA (Multi Factor Authentication). The policy also includes mandating a minimum password strength for all user accounts.
SafetySuite Cloud incorporates role-based access control (RBAC) to manage application and data security, thereby providing organisations with the ability to control who gets access to what. SafetySuite Cloud users are assigned roles by their organisation such that they have access to relevant information within the system.
Furthermore, SafetySuite Cloud provides a mechanism to group roles into profiles and apply those profiles to users. This means the system has an extensive array of roles. RBAC combined with the principle of least privilege is the industry standard for protecting data and facilitating the management of user access provisioning (and deprovisioning) within an organisation.
SafetySuite uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data and have processes in place to support AES-256 symmetric key encryption. Our services are hosted by trusted data centres that are independently audited.
SafetySuite Cloud Services are hosted on AWS multiple availability zones (geographically separate Data Centres) and provide both high availability and scalability. SafetySuite Cloud application utilises logically separate databases (RDS) to provide customer data segregation.
AWS provides multiple physically separated and isolated Availability Zones, which relate to low-latency, high-throughput, and highly redundant networking. Availability Zones are highly available, fault tolerant, and scalable.
The Availability Zones (AZ) are designed to be separate and protected from adverse events in other AZs. They are connected to each other in the same regions to provide high availability and, function as a first line of defence against service failure.
NB: As a data processor, SafetySuite cannot access customer data without the direct authorisation (providing access via the user access management tools within SafetySuite Cloud) from the customer.
Our systems undergo application penetration tests twice a year by an independent third-party and any feedback or issues from those audits are quickly adopted into the environment. All services have quick failover points and redundant hardware, with backups performed daily to alternate locations. OWASP (Open Web Application Security Project) guidelines are used and security specific testing in the development life cycle.
SafetySuite’s utilises an array of network security tools to protect the systems within the Cloud Service. SafetySuite’s most important concern is the protection and reliability of customer data. Our solution is protected at each layer of the service.
The management layer is secured via VPN access to the virtual private clouds and managed via SSO and integrated IAM (Identity and Access Management). The access layer is secured by WAF, load balancing and DDoS (Distributed Denial of Service) protection. The authentication layer supports customer Identity provider integration and SafetySuite’s authentication service utilising standard protocols. And finally, the application layer delivers incorporates role-based access control to give customers confidence that the right people, and only the right people, get to the information they need.
Access to our application systems is restricted to specific individuals who are required to administer the system, and customer data are not accessed by our team unless specifically required to as part of a support process. Access to customer systems is monitored and audited for compliance. System access is coordinated via IAM systems between SafetySuite and the hosting environment. They are supported by MFA and integrated (SSO) into our company IdP (Identity Provider).
SafetySuite’s most important concern is the protection and reliability of customer data. the regularly to ensure that any vulnerabilities are quickly found and patched. The SafetySuite Cloud application is penetration tested and assessed by an external 3rd-party in accordance with the best practices recommended by OWASP (Top 10), SANS/CWE (Top 25) and custom tests. The identified vulnerabilities, along with additional recommendations for mitigation are implemented within timeframes relative to their severity and impact.
Security Incident Management
SafetySuite has a responsibility to monitor the service for any security incidents, or indicators of, that may breach the confidentiality, integrity or availability of the information systems containing customer data. Those incidents are reported via alerts and support communications channels into our Incident Management system. The process we follow ensures an organised approach to managing cyber incidents within SafetySuite and coordinating response and resolution efforts to prevent or limit damage that maybe caused. We adhere to standards developed by the National Institution of Standards and Technology (NIST).
It specifies a framework that includes:
Anticipating security incidents and prepare for an appropriate and timely response
Contain, eradicate and recover from incidents
Include people, processes and technologies to deal adequately with any security incident
Have a tested and practised Incident Management Plan that identifies responsible people and process
Ensure continuous improvement by regularly reviewing the Plan and any incidents to incorporate beneficial changes
Communication of security incidents with relevant parties in a timely manner
AWS (Amazon Web Services) is responsible for security of the Cloud, SafetySuite within the Cloud and the customer protects their information within the SafetySuite Cloud Application. The management of access is a shared responsibility, whereas identity management is the responsibility of the customer either using their own IdP (Identity Provider) or that provided within SafetySuite Cloud.
SafetySuite has designated a single individual to be the primary coordinator of, and accountable for, information security within the company. SafetySuite trains its employees and resellers/partners to understand and comply with the security processes in place to protect customer data. All employees undergo security background checks and undertake regular security awareness training.
Members of our workforce with access to customer information have trusted roles within the company. SafetySuite implements annual screening procedures to provide assurances that workers hired to conduct trusted roles are trustworthy and competent for the roles they perform.
SafetySuite regularly assesses threats to confidentiality, integrity, and availability of customer information; managing such risks by implementing safeguards that are reasonable and appropriate. All employees and contractors have a duty to report security incidents or weaknesses. We utilise SafetySuite Cloud to manage Information Security for our services and company.
SafetySuite maintains policies concerning the acceptable uses of computing devices and media used to collect, use, store, archive, and dispose of customer information. Upon termination of an employee, SafetySuite promptly remove all rights to access internal and customer systems.
Whilst we have endeavoured to give an overview of our approach to security, we would like to give you the chance to clarify any elements, provide us with feedback, or concerns you may have. Please contact us by email at firstname.lastname@example.org