Security and your data

Your trust is important: our security is constantly maintained, enhanced, and verified

 


Data encryption

Data “in transit” between your web browser and the TIQK cloud platform

The connection between you and TIQK is always encrypted with industry-standard Secure Sockets Layer (SSL) technology. All information that goes between you and TIQK can only be read by your computer and our servers.

We also employ Transport Layer Security (TLS) version 1.2. This is designed to protect against eavesdropping, tampering, and message forgery.

When using our website you can verify this by clicking the padlock icon next to the website address in your web browser:

You can view an up-to-date and independent report of TIQK's SSL implementation by testing our website address at the third-party service: SSLLabs.com

Data transmission between component parts of our cloud platform

All transmission of data within our cloud platform - e.g. between databases and other parts of our system - is fully encrypted.

Data "at rest"

All files (and all system-generated representations of those files) uploaded by clients are fully encrypted when physically stored on our platform.


Passwords & Two Factor Authentication

We enforce strong passwords (mix of alphanumeric and cases, symbols, minimum password length).

Your password is not stored as clear-text in our systems. We store a hash of the password which cannot be converted back into your actual password.

We support Two Factor Authentication (2FA) on a per-user basis. Users can opt-in to use one-time-use codes generated by a standard Code Generator App (or received via SMS) as a second level of protection on TIQK login.


Our cloud infrastructure providers

TIQK's platform and services operate on the industry-leading cloud platform providers Amazon Web Services (AWS) and Microsoft Azure.

AWS certification and compliance information can be found at aws.amazon.com/compliance; Azure compliance information can be found at https://www.microsoft.com/en-us/TrustCenter/Compliance/


Your data

Data residency for your files

All client documents and account information related to the primary function of the TIQK platform ("platform data") that are uploaded and processed on the TIQK platform remains resident in the AWS Asia Pacific - Sydney Region (ap-southeast-2) and Azure Australia South-East or Australia East Regions at all times.

This includes all platform data backups (see Data backups, below).

Other “non-platform” data residency

Other non-platform data related to client accounts may be stored and processed by our third-party service providers inside and outside of Australia. These include:

  • Credit card payment processing: Stripe (Americas, Australia)

  • Direct Debit payment processing: GoCardless (Australia, UK)

  • Anonymised website visitor analytics: Google Analytics (Americas)

  • Email mailing list management, if you opt-in: SendGrid (Americas)

  • General email communication and any non-platform data document sharing with TIQK; client implementation project management: Microsoft Office365 (Australia data residency for email and client related file storage)

Intellectual property ownership

You retain ownership of any information that you upload to our servers when using the TIQK service. See our Terms & Conditions for more information.

Data sharing and privacy

Uploaded client documents and review results are not shared by TIQK with any third party without your express permission.

Account data such as information related to subscription, billing, email addresses for opt-in mailing list membership, and project / implementation related data, may be shared with and stored on third-party platforms in order to provide the service - see "Non-platform data residency" above.

Our Privacy Policy tells you what kinds of personal information we may gather or hold about you, how we may use that information, whether we disclose it to anyone, the choices you have regarding our use of that information, your ability to access or correct that information and how you may complain should you believe we have breached our privacy obligations.

Backups

TIQK platform data is is backed up multiple times daily, weekly and monthly.

All files uploaded by clients are regularly backed up on redundant, isolated infrastructure in the AWS Asia Pacific - Sydney Region (ap-southeast-2). TIQK's backup infrastructure operates under the same security controls as TIQK's primary cloud infrastructure.

TIQK backups are primarily designed to support disaster recovery / business continuity operations. This means that clients should not rely on TIQK backups to (for example) restore files that they have accidentally deleted from their TIQK account.

This is because files deleted by clients are automatically deleted from TIQK's backup infrastructure after a period of time.

However, TIQK may be able to assist with file restores for a limited period of time after an accidental deletion - contact the TIQK Customer Success team for more information.

Retention on termination

If a client ends their agreement with TIQK and terminates their TIQK service the client's platform data is immediately removed from TIQK's live systems. TIQK may retain up to a maximum of seven (7) days of backups of platform data. After the backup period of time has passed, the client's platform data is automatically deleted and is no longer accessible to the client, TIQK systems, or on backup media.

In some circumstances, TIQK may offer clients with specific data retention policies an alternative data retention on termination period. Contact the TIQK Customer Success team for more information.

Access for regulatory authorities and law enforcement

To the extent that we are bound by law to provide such information TIQK will comply with these requests.


Data breach / security incident policy

TIQK has a duty of care. If a data breach occurs, we must notify affected clients immediately.

TIQK has implemented an ITIL-defined Data Breach Response policy that clearly defines a breach; staff roles and responsibilities; standards and metrics (including prioritisation); and reporting, remediation, and feedback mechanisms.


Activity auditing

The TIQK platform performs comprehensive activity auditing/logging for:

  • Account creation, verification, updates, and deletions

  • Logins

  • Team and User management

  • Document uploads and deletions

  • Document audits, audit results, and audit result deletions

  • Subscription management


Subscription, billing, and credit card security

Credit card processing for TIQK subscriptions are managed by Stripe (stripe.com), a globally-recognised leader in online and mobile payment services.

Direct Debit processing for TIQK subscriptions are managed by GoCardless (https://gocardless.com/en-au/).


Secure engineering

TIQK has implemented multiple secure engineering practices including:

  • Adopted OWASP Application Security policies and instituted relevant ITIL v3 policies and procedures including Access Management, Information Security Management, Physical Access Control, Acceptable Encryption, Clean Desk, Password construction and usage, Remote Access, and Web Application Security

  • Developer access to source code is limited and protected with multiple security layers

  • Conducts automated checks for known security vulnerabilities in third-party components

  • Controls in place to prevent common malicious input techniques

  • Physically segregated lifecycle environments (Development, Test, Production, etc.) with VPN access protections

  • Modified and rotates all default passwords on any vendor supplied service

  • Formal architecture review process prior to application and systems build or modification.


Security Controls

TIQK employs multiple layers of security controls and processes based on the globally recognised Information Technology Infrastructure Library (ITIL) policies to protect our client data and infrastructure.

These include but are not limited to;

  • Local and Network Firewalls

  • Web Application Firewalls

  • Intrusion Detection & Prevention Systems

  • Multi-layer Anti-Virus, Anti-Spyware, Anti-Phishing, and Anti-Malware protection on all company devices, cloud infrastructure, and messaging services

  • DDoS Risk Reduction Services

  • Network Access Control Lists

  • Security Patch Management

  • Identity and Access Management

  • Secure Key Management

  • Centralised Log Management, Reporting, and Analysis

  • Symmetric and Asymmetric Encryption systems

  • Strong password creation and management policies, including mandatory periodic password renewals

  • Two Factor Authentication for all employees

  • The use of globally-recognised password "vault" services that provide controlled and highly-secure access to critical security information such as passwords, keys, tokens and more to only those employees that require them

  • Data Loss Prevention

  • Regular Vulnerability Assessments

  • Anomaly Detection

  • Remote Monitoring & Alerting

  • VPN -only access to operational systems

  • Clean Desk Policy for all employees

  • Physical Access Control to offices and equipment

Security audits

TIQK has commissioned an independent system and web security specialist company to perform the following services:

  • Security architecture review

  • Web services penetration testing

  • Web application and external infrastructure penetration testing

At our sole discretion TIQK is able to share the results of these audits, and any subsequent actions taken as a result of any recommendations arising from these audit.

TIQK operational strategy includes ongoing periodic internal and external security audits.

Employee Training and Vetting

Information security and data privacy requirements are documented and communicated to all employees who have the responsibility for platform and data design, implementation, and management.

All employees and contractors who have access to TIQK infrastructure and data must go through an extensive vetting process operated by a qualified third-party organisation, which may include police background checks.

All employees and contractors are required to take relevant privacy training during onboarding; on-demand; and when joining a team that has direct access to client data.

All employees and contractors sign non-disclosure terms that include client information.

Risk Assessments

TIQK has implemented a formal, company-wide, Board-sponsored Risk Management Framework. TIQK's Risk Management Committee manages the Risk Register (including technical and data risks) and avoidance and mitigation actions periodically to the Board.


System Monitoring

The TIQK platform is monitored 24hours a day, 7 days a week, 365 days a year. Clients can view availability reports, maintenance information, and performance statistics at any time on the System Status site.