All capitalised terms used by not defined in this Data Security Addendum (DSA) will have the meaning given to them in the Subscription Agreement (to which this DSA forms part).
1.1 Security Program
For the duration of the Subscription Period, We will ensure there is a written information security program of policies, procedures and controls in compliance with the ISO27001 standard, governing the processing, storage, transmission and security of Your Data (the Security Program). The Security Program includes industry-standard practices designed to protect Your Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. We may update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that no such update will materially reduce Our overall level of security commitments or protections described in this Policy.
1.2 Security Organisation.
We have appointed a Chief Technology Officer, that is designated as responsible for coordinating, managing, and monitoring the information security function, policies, and procedures.
1.3 Governance.
This Policy is: (i) reviewed and approved by management, including after material changes; and (ii) published, and communicated to personnel, and contractors, including appropriate ramifications for non-compliance.
1.4 Risk Management.
We perform information security risk assessments as part of a risk governance program that is established with the objective to regularly test, assess and evaluate the effectiveness of the Security Program. Such assessments will be designed to recognise and assess the impact of risks and implement identified risk reduction or mitigation strategies to address new and evolving security technologies, changes to industry standard practices, and changing security threats.
2.1 Certifications and Attestations.
We commit to maintaining active, current and audited certification, in accordance with the ISO27001 standard.
2.2 Audit.
Our Security Program Policy, certification compliance and other policies and processes relevant to data security are audited on an annual basis.
3.1 Physical Security Measures.
(a) Data Centre Facilities.
Our data centre facilities are cloud based primarily utilising Amazon Web Services in the Sydney, Australia region.
(b) Media.
We may maintain data on physical media for the purposes of backup or break-glass emergency conditions. Access to this physical media is restricted only to Our select authorised personnel and is controlled, audited and logged. Under a scenario where physical media is disposed of, this is done utilising a method where all data is physically destroyed, unrecoverable and disposed of securely.
3.2 Technical Security Measures.
(a) Access Administration.
We maintain secure access controls via defined Role-Based Access Controls (RBAC) that maintains a principle of least privilege. Our production systems are configured to require multi-factor authentication (MFA) and individually identifiable user accounts. Access to such systems and data is logged, audited and includes automated notifications of the use of escalated privileges.
(b) Logging and Monitoring.
We maintain centralised logging and monitoring of system activity to support Our compliance and legal obligations, operational monitoring, troubleshooting, and forensic investigation. System logs and telemetry are limited to what is required for performance, reliability, and security purposes. Audit trails are maintained to support incident investigation and compliance obligations. All logging configuration is version controlled.
(c) Firewall System.
We employ network-level security controls including web application firewalls (WAF) and intrusion detection with active inspection and filtering of network requests. Network environments are isolated by environment (development, test, staging, production) to reduce risk of unauthorised access or lateral movement. All firewall and network security configuration is version controlled.
(d) Vulnerability Management.
We are certified with ISO27001 and align with OWASP standards for secure coding and vulnerability management. Security risks We identify are addressed through secure development practices, ongoing monitoring, and remediation processes appropriate to the nature of the identified risk.
(e) Antivirus.
We employ endpoint protection software for devices used by Our employees. Our cloud-based systems utilise security controls provided by Our cloud service provider, together with versioned, audited and secure system configuration and restricted access controls, designed to seek protect systems from malicious code.
(f) Change control.
Changes to Our production systems are managed through controlled deployment processes aligned with secure and quality-controlled software development practices. All changes to systems are tested, logged, audited and include rollback procedures to ensure system integrity and availability.
(g) Configuration management.
System configurations are managed to ensure separation between environments and consistent application of security controls across infrastructure and services. Configuration settings support access restriction, encryption, and monitoring requirements. All configuration changes are versioned and managed under Our change control processes.
(h) Data encryption in transit and at rest.
All Your Data that is stored by Us, is encrypted in transit using TLS 1.2 or higher, and encrypted at rest using AES-256 encryption within AWS storage services.
(i) Secure software development and review.
We follow secure software development practices certified to ISO27001 and aligned with OWASP standards. Sensitive fields are validated and encrypted, and privacy-by-design principles such as separation of identities and data minimisation are applied throughout the development lifecycle. All changes to configuration and code are versioned, auditable and follow Our change control processes.
3.3 Organisational Security Measures.
(a) Personnel security.
Access to Our systems, data (including Your Data that is stored by Us), and physical backup media is restricted to Our authorised personnel based on role and need-to-know principles. Exceptional “break-glass” access is limited, logged, approved by Our senior leadership, and auditable. Our personnel are required to review and confirm knowledge of our security processes and procedures and take an active role in risk management and ensuring such processes are fit for purpose.
(b) Security awareness and training.
We maintain defined incident processes, escalation protocols and regular security awareness training aimed at ensuring Our staff can identify, report, and respond to security and privacy incidents in a timely and consistent manner.
(c) Software and asset inventory.
Our software, assets, their location, primary user and use cases are tracked via a secure inventory system.
(d) Workstation security.
All Our employee workstations are centrally managed including security compliance configuration and automated software updates. Admin access is limited to only Our employees who require it to perform their role.
(a) Data location.
All Your Data that is stored by Us is hosted in Amazon Web Services data centres located in the Sydney, Australia region. Disaster recovery backups are maintained within Australia.
(b) Data backup.
We maintain secure, offline backups on a regular rotation. Backup data is accessible only to Our authorised personnel for recovery purposes. Access to backups is logged and audited.
(c) Disaster recovery.
Additional secure copies of production data are maintained to support disaster recovery scenarios. Recovery processes are designed to restore systems and services securely following an incident. We leverage cloud-based solutions for clustering and maintaining services across 3x availability zones in Australia.
(d). Business continuity.
We maintain business continuity procedures that are regularly tested and supported through environment isolation, redundancy across availability zones, backup rotation, and incident response processes designed to minimise service disruption.
(a) Incident monitoring and management.
We maintain proactive monitoring and a defined incident process comprising identification, containment, recovery, notification, and evaluation. Incidents are investigated and corrective actions implemented to prevent recurrence.
(b) Breach notification and management.
We maintain procedures and processes that outline Our response requirements to security breaches of Our systems. Relevant customers are notified as soon as possible if their data or privacy is impacted by an incident, with prompt notification to relevant government bodies (as required to meet Our legal obligations). Communications include relevant facts, scope, and guidance required to respond.
(a) Ask Your Team Software capabilities.
You are responsible for ensuring Your environment and devices are secure and up to date. The AskYourTeam Software provides the capability to customise user access methods, user management, password security, role assignments, and data access permissions. You are responsible for ensuring that Your Data submitted to the AskYourTeam Software complies with applicable laws.
(b) Security contact.
You agree to identify and maintain appropriate security contact(s) for all information security incident and information security-related communication within Our Support Portal.
(c) Limitations.
Notwithstanding anything to the contrary in this DSA or other parts of the Agreement, Our obligations herein are only applicable to the Subscription. This DSA does not apply to (i) information or data shared with Us that is not Your Data; and (ii) any data processed by You or Your Authorised Users in violation of the Agreement or this DSA.
(a) Upon termination or expiry of the Agreement, We will retain Your Data for a period of thirty (30) days (Retention Period) to allow You to export or download Your Data. During the Retention Period, We will make commercially reasonable efforts to provide You with continued access to the AskYourTeam Software, so that You can export or download Your Data for this purpose only.
(b) At the end of the Retention Period, We will permanently delete or overwrite Your Data from Our systems and backups in accordance with Our standard data destruction processes, and Your Data will no longer be available to You. We will have no obligation to retain, recover, or restore any Your Data following deletion.