Security Policy

1. Compliance and Assurance

AFFIXCON has developed and managed its Customer Intelligence such that it conforms to the specific requirements of Privacy and country specific Laws in the supply of our services to our customers. We ensure the security and confidentiality of the Source Data that is supplied under our agreements from our customers for the verification of their individuals.

2. Process

We have designed, developed, and implemented comprehensive information security controls in our Information Security Management System (ISMS) to establish, monitor and continually improve our safeguards for the confidentiality, integrity and availability of all physical and electronic information assets.

3. Personally Identifiable Information (PII) Protection

AFFIXCON is highly concerned about any personally identifiable information passing through its systems. AFFIXCON ensures there is no unwarranted disclosure or outright breach of PII. Enshrined PII protection is achieved via hashing all PII provided by clients ensuring that the information cannot be reidentified in any way/shape/form. The PII is hashed in accordance with our data classification policy and levels, wherein different hashing compositions have been developed for individual PII fields based on their classification level. AFFIXCON complies with the Australian Privacy Act (1988) in the management of personal information. We ensure that all companies sign the suitable contracts for access to the data. These contracts will highlight the penalties of any misuse by the company and that it’s the responsibility of the company to ensure that their internal process implements the terms and use of the data.

4. Data Centres

AFFIXCON utilises firewalls and encryption, which is used to protect all data and our applications. Databases have built-in security that prevent unauthorised access from malicious actors. All transactions are user and IP Address logged. Our data is securely stored in unconnected and independent Tier 3 physical data centres within Australia, with no single point of failure and with a fully scalable world-class infrastructure. We backup our databases multiple times a day. There is failover capability between multiple servers within each data centre, as well as automated failover processes between data centres should an entire data centre go offline.

We have processes in place to monitor and test the failover sites frequently to ensure the capacity for redundancy remains in place. There are frequent synchronisation activities in place to ensure configuration and account management is identical between all servers thereby eliminating downtime in instances where traffic is re-routed between the servers and data centres. For more information on how AFFIXCON is managing data centre security or for data centre technical specifications please contact your account representative or contact us via info@affixcon.com

5. Employee Due Diligence & Code of Conduct

AFFIXCON conducts background verification checks on all candidates for employment in accordance with relevant laws, regulations, ethics, business requirements, the classification of the information to be accessed and the perceived risks. At AFFIXCON, the contractual agreements with employees and contractors include the employee’s and the organisation’s responsibilities for information security and is updated as required. All employees of the organisation and, where relevant, contractors receive appropriate security awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function.

At AFFIXCON, all our staff value consumer’s privacy and regularly receive industry updates as well as refreshers on our information security, physical security, and privacy policies. All staff adhere to our Anti-Bribery and Corruption Policy and Primary Data Source Identity Verification. The access to all IT resources is limited as per the role and rights assigned to the employees. Access to sensitive data is limited to the role that requires access to perform its duty. The access rights are assigned or revoked anytime upon approval from AFFIXCON’s ISMS Manager.

6. System Access Control

Access to AFFIXCON’ services is granted through the individual allocation of user rights, and requires authentication by username and password. AFFIXCON password management practices include assurance of password construct minimum criteria (ie. > 12 alpha-numeric characters), storage of passwords only as hashed data, account blocking (by IP address) triggered after ten consecutive failed log in attempts, and logging of failed log in attempts. Blocked IP addresses can only be unblocked and have user access reinstated by AFFIXCON Support staff. Access to configuration management is only by AFFIXCON Support staff and is reinforced with multi-factor authentication processes. All changes (data source access, configurations etc) to accounts are logged and monitored regularly.

7. Test Data Management

Test data and the testing environments are completely independent of the production environments. AFFIXCON’s testing environment is not a sandbox environment and has been developed and designed specifically for testing of AFFIXCON’ services; the test-data is selected carefully, protected and controlled to mimic responses and results from the production environment.

8. Data destruction

All customer’s client data is disposed of when it is no longer necessary for business use.

All physical devices and media that are retired from the organisation’s use are securely removed, destroyed, and overwritten.

9. Risk Assessment

AFFIXCON undertakes an information security risk review throughout the organisation, taking account of the established criteria, at periods not exceeding 12 months, or when significant changes are proposed or occur. The review is undertaken under the direction of the ISMS Manager, and draws on both internal, and where required, external expertise. The ISMS Manager maintains records of the information security risk assessment process and its outcomes. Based on the outcomes corrective and preventive action plan is devised.

AFFIXCON’s risk assessment practices are continually reviewed internally to ensure best practice is maintained, and continuous improvement is achieved.

10. Vulnerability Assessment/Penetration Testing

Where penetration tests or vulnerability assessments are used at AFFIXCON, they are carefully planned, exercised with due caution, are designed to be repeatable and the approach and results are documented. Penetration and vulnerability testing is completed on a quarterly basis by industry recognised professionals, with any outcomes/recommendations actioned immediately.

11. Data & Service Integrity

AFFIXCON assures the integrity of all services and the data sources we access through a suite of automated weekly and monthly testing processes. This testing regime reports on expected and actual results with exceptions promptly investigated by AFFIXCON support staff. The aim of this testing is to ensure response structures and data formats remain consistent.

12. Data Life Cycle Management

At AFFIXCON all stages of the information lifecycle are privacy aware. We ensure that data acquisition processes are adequate to capture all the data needed to perform the operation. Data is then stored and secured in an optimal manner to minimize storage requirements and allow it to be accessed in fastest possible manner. Once the data is securely stored and is available to be accessed, it is then discovered and classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. The classification scheme has five levels: public, internal, client confidential, company confidential, and personal confidential. After data has been used and is no longer needed, it is destroyed in accordance with GDPR data destruction principle. Please refer to Table – Data Life Cycle Management for a summary of Data Life Cycle Management.

Stage Protection Procedure
Collection/Transmission Data is transferred via SOAP and/or RESTful web service calls via HTTPS.
Use All sensitive data is hashed immediately so that it can never be reidentified.
Retention We do not retain any kind of PII as per our information classification policy.
Destruction Data is destroyed when no longer needed.

Table – Data Life Cycle Management

1. Asset Management

AFFIXCON ensures that all assets associated with information, and information processing facilities, are identified and that appropriate protection plans are defined. Information receives an appropriate level of protection according to its importance and acceptable use policy implemented by asset owner. AFFIXCON prevents unauthorised disclosure, modification, removal or destruction of information stored on physical media.

2. Device Security

AFFIXCON’s server farms are protected by Next-Gen Firewall appliances with intrusion prevention systems (IPS) to identify and block threats in real time. In addition to this, AFFIXCON uses Cloudflare’s globally managed DNS service as a gateway to provide an additional layer of security as well as service continuity through load balancing and fail over services. All AFFIXCON devices are protected with Webroot AV software which continuously monitors and defends all devices against any threats. In addition, all sensitive information on AFFIXCON devices is fully encrypted.

3. System Security

The architecture of the application is n-tier. Client data is stored inside of a trust-zone, which is behind a DMZ. (i.e. the product is supported by best practice application architecture). Access to the application is via username and password that has industry standard strength requirements. Our products have passed third-party PCI DSS compliance tests.

4. Network Security

Network security is managed and controlled to protect information in systems and applications. Security mechanisms, service levels and management requirements of all network services are identified and included in network services agreements, whether these services are provided in-house or outsourced. Groups of information services, users and information systems are clearly segregated on networks.

5. Physical Security And Environment Security

AFFIXCON stores data on site in a data centre for the duration of processing the transaction. The hardware is locked in company’s racks. Security is applied to off-site assets such as laptop computers and GPS systems, considering the numerous additional risks arising from working outside of our sites. Employee security guards and 24 hours surveillance is arranged at office premises. Shared office space goes into lock down after 5:00 pm. During “out of office” hours the access is only through a registered fingerprint system. Appropriate physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster have been put in place.

6. Backup and Recovery

Backup copies of information, software and system images are taken and tested regularly in accordance with an agreed backup policy. All backup and restore procedures are documented, regularly reviewed, made available and operated by competent staff. IT users ensure that data is securely maintained and is available for backup. Data (file) restores are only undertaken by competent, authorised staff.

7. Information Security Incident Management

AFFIXCON ensures a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. When an information security event is reported, the ISMS Manager assesses the event to see if it should be classified as an incident and, where necessary, takes immediate remedial actions to alleviate the threat.

8. Logging & Monitoring

Event logs recording user activities, exceptions, faults and information security events are produced, stored and regularly reviewed. Logging facilities and log information are protected against tampering and unauthorized access. System administrator and system operator activities are logged, and the logs protected and regularly reviewed. The clocks of all relevant information processing systems within an organization or security domain are synchronised to a single reference time source. All logs are hashed. For API and web users, AFFIXCON logs and monitors IP addresses for each server access. AFFIXCON captures IP ranges for clients at time of signup, and validates the IPs accessing AFFIXCON servers to ensure no unexpected traffic. These IP addresses/ranges are never accessed for a reason other than for support processes or tracability of incidents (if any).

9. Cross Border Transfer Of Information

AFFIXCON’s policies are designed to ensure that all information is secure both in internal databases and when our customers are accessing it. Access to systems is monitored electronically, providing an auditable record of who, what and when data was accessed. Where applicable and required by the business process, data does not leave the country of data source processing – and only the actual verification results are returned to AFFIXCON’s systems.

10. Business Continuity Management

AFFIXCON has in place a Business Continutiy Management policy and associated processes. There is a Business Continuity Plan defined and documented which explicitly states the recovery procedures required to continue and restore core services and operations in the event of a disaster.

AFFIXCON undertakes regular, documented Disaster Recovery Testing and uses desktop assessments as well as real tasks (ie traffic switching between primary and backup servers) to test resilience to disruptions and effectiveness to restore operations.

Glossary

GDPR : Refers to the European Union’s “General Data Protection Regulation”.

ISMS : Refers to Information Security Management System.

PII : Refers to Personally Identifiable Information. That is, any information that can potentially identify and individual (including instances of inference, etc).

Source Data : Refers to the personal information provided by clients to AFFIXCON.