Data “in transit” between your web browser and the TIQK cloud platform
The connection between you and TIQK is always encrypted with industry-standard Secure Sockets Layer (SSL) technology. All information that goes between you and TIQK can only be read by your computer and our servers.
We also employ Transport Layer Security (TLS) version 1.2. This is designed to protect against eavesdropping, tampering, and message forgery.
When using our website you can verify this by clicking the padlock icon next to the website address in your web browser:
You can view an up-to-date and independent report of TIQK's SSL implementation by testing our website address at the third-party service: SSLLabs.com
Data transmission between component parts of our cloud platform
All transmission of data within our cloud platform - e.g. between databases and other parts of our system - is fully encrypted.
Data "at rest"
All files (and all system-generated representations of those files) uploaded by clients are fully encrypted when physically stored on our platform.
Passwords & Two Factor Authentication
We enforce strong passwords (mix of alphanumeric and cases, symbols, minimum password length).
Your password is not stored as clear-text in our systems. We store a hash of the password which cannot be converted back into your actual password.
We support Two Factor Authentication (2FA) on a per-user basis. Users can opt-in to use one-time-use codes generated by a standard Code Generator App (or received via SMS) as a second level of protection on TIQK login.
Email mailing list management, if you opt-in: SendGrid (Americas)
General email communication and any non-platform data document sharing with TIQK; client implementation project management: Microsoft Office365 (Australia data residency for email and client related file storage)
Intellectual property ownership
You retain ownership of any information that you upload to our servers when using the TIQK service. See our Terms & Conditions for more information.
Data sharing and privacy
Uploaded client documents and review results are not shared by TIQK with any third party without your express permission.
Account data such as information related to subscription, billing, email addresses for opt-in mailing list membership, and project / implementation related data, may be shared with and stored on third-party platforms in order to provide the service - see "Non-platform data residency" above.
TIQK platform data is is backed up multiple times daily, weekly and monthly.
All files uploaded by clients are regularly backed up on redundant, isolated infrastructure in theAWSAsia Pacific - Sydney Region (ap-southeast-2). TIQK's backup infrastructure operates under the same security controls as TIQK's primary cloud infrastructure.
TIQK backups are primarily designed to support disaster recovery / business continuity operations. This means that clients should not rely on TIQK backups to (for example) restore files that they have accidentally deleted from their TIQK account.
This is because files deleted by clients are automatically deleted from TIQK's backup infrastructure after a period of time.
If a client ends their agreement with TIQK and terminates their TIQK service the client's platform data is immediately removed from TIQK's live systems. TIQK may retain up to a maximum of seven (7) days of backups of platform data. After the backup period of time has passed, the client's platform data is automatically deleted and is no longer accessible to the client, TIQK systems, or on backup media.
In some circumstances, TIQK may offer clients with specific data retention policies an alternative data retention on termination period. Contact the TIQK Customer Success team for more information.
Access for regulatory authorities and law enforcement
To the extent that we are bound by law to provide such information TIQK will comply with these requests.
Data breach / security incident policy
TIQK has a duty of care. If a data breach occurs, we must notify affected clients immediately.
TIQK has implemented an ITIL-defined Data Breach Response policy that clearly defines a breach; staff roles and responsibilities; standards and metrics (including prioritisation); and reporting, remediation, and feedback mechanisms.
The TIQK platform performs comprehensive activity auditing/logging for:
Account creation, verification, updates, and deletions
Team and User management
Document uploads and deletions
Document audits, audit results, and audit result deletions
Subscription, billing, and credit card security
Credit card processing for TIQK subscriptions are managed by Stripe (stripe.com), a globally-recognised leader in online and mobile payment services.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1, the most stringent level of certification available in the payments industry.
TIQK has implemented multiple secure engineering practices including:
Adopted OWASP Application Security policies and instituted relevant ITIL v3 policies and procedures including Access Management, Information Security Management, Physical Access Control, Acceptable Encryption, Clean Desk, Password construction and usage, Remote Access, and Web Application Security
Developer access to source code is limited and protected with multiple security layers
Conducts automated checks for known security vulnerabilities in third-party components
Controls in place to prevent common malicious input techniques
Multi-layer Anti-Virus, Anti-Spyware, Anti-Phishing, and Anti-Malware protection on all company devices, cloud infrastructure, and messaging services
DDoS Risk Reduction Services
Network Access Control Lists
Security Patch Management
Identity and Access Management
Secure Key Management
Centralised Log Management, Reporting, and Analysis
Symmetric and Asymmetric Encryption systems
Strong password creation and management policies, including mandatory periodic password renewals
Two Factor Authentication for all employees
The use of globally-recognised password "vault" services that provide controlled and highly-secure access to critical security information such as passwords, keys, tokens and more to only those employees that require them
Data Loss Prevention
Regular Vulnerability Assessments
Remote Monitoring & Alerting
VPN -only access to operational systems
Clean Desk Policy for all employees
Physical Access Control to offices and equipment
TIQK has commissioned an independent system and web security specialist company to perform the following services:
Security architecture review
Web services penetration testing
Web application and external infrastructure penetration testing
At our sole discretion TIQK is able to share the results of these audits, and any subsequent actions taken as a result of any recommendations arising from these audit.
TIQK operational strategy includes ongoing periodic internal and external security audits.
Employee Training and Vetting
Information security and data privacy requirements are documented and communicated to all employees who have the responsibility for platform and data design, implementation, and management.
All employees and contractors who have access to TIQK infrastructure and data must go through an extensive vetting process operated by a qualified third-party organisation, which may include police background checks.
All employees and contractors are required to take relevant privacy training during onboarding; on-demand; and when joining a team that has direct access to client data.
All employees and contractors sign non-disclosure terms that include client information.
TIQK has implemented a formal, company-wide, Board-sponsored Risk Management Framework. TIQK's Risk Management Committee manages the Risk Register (including technical and data risks) and avoidance and mitigation actions periodically to the Board.
The TIQK platform is monitored 24hours a day, 7 days a week, 365 days a year. Clients can view availability reports, maintenance information, and performance statistics at any time on the System Status site.