Security and Risk datasheet

Risk management

  • We perform regular risk assessments to identify potential threats and vulnerabilities that could negatively impact our services, or client data

  • The results of our risk assessments are:

    • Prioritised based on possible impact

    • Assigned corrective actions, and monitored

    • Reported to Senior Management that report to the CEO

    • Used to update our Risk Register

Security, legal, privacy and compliance

  • We document information security and data privacy requirements

  • To the extent that we are bound by law to provide such information, TIQK will comply with requests for customer data from regulatory authorities, courts, law enforcement authorities, and other third parties

  • TIQK is not subject to the EU General Data Protection Regulation (GDPR)

  • We periodically communicate these requirements to employees and contractors who have responsibility for the design, implementation, and maintenance of security and privacy controls

  • We have a documented procedure for a client to exit a service agreement with TIQK that includes deletion of client data from operational and backup/disaster recovery systems

  • We have a documented Privacy Policy:

    • Our employees and contractors must read and agree to it during onboarding, have access to it during the term of their employment / contract with TIQK, and are required to adhere to it.

    • It includes a documented process for managing individual requests for access to, edit, or deletion of information

  • We have documented policies and practices for our employees and contractors covering:

    • Information security practices and standards

    • Meeting reasonable customer expectations regarding collection of personal information

    • Obtaining consent and providing opt-outs

    • Updating information promptly

    • Deleting information that is no longer required

    • Validating identities before disclosing personal information online or in calls.

  • TIQK employees and contractors sign Agreements that include confidentiality / non-disclosure terms that also cover client information and data

  • All new employees likely to have access to client data submit to a background investigation by an independent third-party

Incident response / data breaches

  • We have a documented Data Breach Response Policy and procedures, based on a globally-accepted IT operations governance model

  • We operate systems to detect and prevent unauthorised or anomalous network traffic behaviour

Business Continuity / Disaster Recovery

  • We have implemented a Business Continuity Plan (plus Incident Management & Service Desk policy and procedures) based on a globally-accepted IT operations governance model

  • TIQK operational platform recovery targets are:

    • Recovery Point Objective (RPO) of 1 hour or less, and

    • Recovery Time Objective (RTO) of 2 hours or less;

  • We operate an isolated AWS second-site n the Australia region for Disaster Recovery purposes

  • All files uploaded by clients are regularly backed up on redundant, isolated account in the AWS Asia Pacific - Sydney Region (ap-southeast-2)

  • TIQK's backup infrastructure operates under the same security controls as TIQK's primary cloud infrastructure.

  • TIQK backups are primarily designed to support disaster recovery / business continuity operations

    • This means that clients should not rely on TIQK backups to, for example, restore files that they have accidentally deleted from their TIQK account

    • This is because files deleted by clients are automatically deleted from TIQK's backup infrastructure after a period of time

    • However, TIQK may be able to assist with file restores for a limited period of time after an accidental deletion.

  • If a client ends their agreement with TIQK and terminates their TIQK service the client's platform data is immediately removed from TIQK's live systems:

    • TIQK may retain up to a maximum of seven (7) days of backups of platform data

    • After the backup period of time has passed, the client's platform data is automatically deleted and is no longer accessible to the client, TIQK systems, or on backup media

  • TIQK may offer clients with specific data retention policies an alternative data retention on termination period

  • We do not use or handle physical media (e.g. backup tapes, drives)

Client data

Residency

Encryption

  • In transit: The connection between you and TIQK is fully encrypted with industry-standard Secure Sockets Layer (SSL) technology. We also employ Transport Layer Security (TLS) version 1.2.

  • In Platform: All transmission of data within our cloud platform - e.g. between databases and other parts of our system - is fully encrypted.

  • At Rest: All files (and all system-generated representations of those files) uploaded by clients are fully encrypted when physically stored on our platform.

  • In Platform and At Rest Encryption is controlled by the respective cloud infrastructure vendor (AWS, Microsoft Azure):

    • On AWS we use server-side encryption with Amazon S3-managed encryption keys (SSE-S3) which uses strong multi-factor encryption

    • Amazon S3 encrypts each object with a unique key; and as additional safeguard, it encrypts the key itself with a master key that it rotates regularly

    • Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard (AES-256)

Segregation

  • All clients are located on and authenticate to the same infrastructure (multi-tenant platform)

  • Sensitive client data (e.g. contained in uploaded files) are isolated in client-unique folders in AWS S3 in an isolated “Production” environment

  • Non-sensitive data (e.g. organisation profiles, audit results and analytics that do not contain client identifiable information, trained Machine Learning models) are contained in shared database and file system structures but are otherwise isolated from a client perspective

  • The TIQK platform includes a variety of trained machine learning models:

    • Models trained with generic, non-client specific datasets may be used in the file review process for multiple clients

    • Models trained with datasets supplied by a client are isolated and used in the file review process for that client only

    • Models trained with datasets supplied by a client can be deleted from the platform (and all backups) upon request, and are deleted if client closes their TIQK account

    • Trained model files and related metadata are stored in secure locations; protected with multiple security controls; and cannot be accessed directly by end users

  • TIQK employs a variety of architecture and security features designed to minimise the risk of data leakage across and out of accounts

  • TIQK does not implement or offer bulk data transfer options between lifecycle environments (“Development”, “Stage”, and “Production”)

  • TIQK’s security model prevents cross-client data access, validated by independent, third-party security architecture review and testing

Retention

  • We store client-uploaded files (e.g. DOC, DOCX, PDF) on our cloud platform infrastructure

  • Those files remain on-platform (and in Disaster Recovery / Business Continuity backups) until deleted by the client; once deleted, they are removed from backups within 24 hours

  • Metadata derived from the platform’s review of client-uploaded files does not contain sensitive client data (e.g. client incomes, addresses, …)

    • Metadata may include the file name and client name(s), and remains on the platform and in backups until deletion by the client

  • We generate machine learning models during training activities using client-supplied and in-house generated sample documents, and in the processing of client-uploaded files

Access control

Physical

  • TIQK employees and contractors are based in Sydney, Australia

  • We operate in an office environment with physical access control (swipe cards) and security cameras and security management

  • Employees and contractors have access to centrally-managed and secure Remote Access services where required

  • Employees and contractors are issued with Company-controlled computers running Mobile Device Management services from Apple and Microsoft that enforce:

    • Maximum screen timeouts

    • Device encryption

    • Minimum password strength

    • Anti- virus/malware/phishing/spyware software

  • Only a limited number of authorised employees and contractors operate Company-controlled computers with Administrator level device access

  • Employees and contractors are required to read, agree to, and adhere to a Clean Desk Policy

TIQK employee and contractor access to internal business and operational platforms

  • Individual VPN account access is mandatory for all sensitive internal operational and data platforms, including those that host client data

  • Multi-factor authentication is mandatory for all internal operational and data platforms, and source code repositories

  • Multi-factor authentication is enforced for all supported business platforms

  • Certain highly-sensitive services require multi-layer authentication (e.g. individual VPN account + SSO + MFA)

    • In addition, we use managed IAM profiles and roles (not root privileges) for access to our cloud infrastructure

  • Employees and contractors use centrally-managed and monitored Single Sign-On authentication and access control to online services used for business and operational platforms

For end-users of the TIQK service

  • The TIQK.IO platform requires end-user authentication in order to access the service

  • Authorised “Administrator” role users in a client organisation control end user account provisioning / de-provisioning in their organisation account

  • By design, TIQK employees and contractors cannot access any client data in the platform, except:

    • A very limited number of authorised personnel are provided with secure VPN+MFA access to certain “Production” environment services and client data, in order to perform required system management tasks

    • Where authorised in writing by the client, in order to perform required tasks

    • Using client-supplied sample data and documents in non-Production environments (“Development”, “Stage”) during development, testing, and client onboarding projects

  • TIQK employees and contractors cannot reset client passwords on behalf of clients, and do not process any client access requests

  • All user management is performed by the client’s own Administrator(s)

  • End user authentication controls include:

    • Strong passwords: minimum of eight (8) characters, mix of upper- and lower- case letters, at least one number, and at least one symbol

    • Optional Multi/Two Factor Authentication: SMS or Code Generator App codes

Development lifecycle

  • We operate isolated “Development”, “Staging”, and “Production” environments

  • We operate automated unit testing and code merging (based on merge requests passing manual peer reviews)

  • We perform functional User Story, Bug, and HotFix testing in the “Development” environment using a combination of automated and human-testing

  • Following the completion of each fortnightly sprint, a Release is prepared:

    • Typically all code merged is included in the Release, however we may hold back some new code if all elements of a feature are not yet ready for release

    • Automated regression is performed when the Release is promoted to the “Staging” environment

    • The regression test suite includes existing plus all new functionality added in the current Release, and includes functional tests, as well as thousands of file review accuracy tests

  • Once regression testing has successfully passed, the Release is prepared for deployment to the “Production” environment

  • “Production” deployments:

    • Are coordinated with the TIQK Customer Success team for minimum impact on clients

    • Are controlled: a very limited number of authorised employees have access to authorise a deployment

    • Follow a Blue/Green deployment process:

      • A completely new instance of the platform’s infrastructure is built from code

      • Once built, the latest tested and approved source code is deployed, and the application is tested

      • Once testing has passed, clients are switched over to the new instance

      • The switchover is typically instantaneous and in most cases clients will not be logged out if using the web app

      • The older version of the platform is retained for a period of time in case it is needed e.g. for emergency rollback

Application security

  • The TIQK application platform is a modern, multi-tier, micro-services based architecture that isolates client data from direct Internet access

  • We maintain documented application development security standards

  • We utilise industry standards to build-in security for our systems and Software Development Lifecycle (SDLC): NIST, OWASP Top 10, …)

  • We have documented policies and procedures based on a globally-accepted IT operations governance model, including:

    • Access Management

    • Information Security Management

    • Physical Access Control

    • Acceptable Encryption

    • Clean Desk

    • Password Construction and Usage

    • Remote Access

    • Web Application Security

  • We use a distributed version control model (Git) and we limit developer access to source code on a per-repository basis

  • We perform static code analysis and automated vulnerability testing prior to each release

  • We conduct automated penetration testing regularly

  • We have engaged third party penetration testing services: infrastructure and web services

  • The TIQK platform has controls in place to prevent common malicious input techniques like: SQL injection, XSS, command injection, URL redirection, file upload abuse

  • All successful / unsuccessful login attempts are logged, and the platform monitors unsuccessful logins to react to and prevent brute force attacks

  • The TIQK application captures granular and comprehensive activity logging data including:

    • Successful / unsuccessful login attempts

    • Create / update / delete activity

    • Invite / modify / block end user account activity

  • We capture infrastructure and application performance and security logs in vendor services (AWS CloudWatch, Azure Application Insights, Azure Diagnostics) and in a dedicated third-party infrastructure monitoring service

  • The TIQK platform does not make use of any hardcoded passwords

  • We do not store sensitive keys or other credentials in source code

Application cloud infrastructure

  • We have adopted a SaaS platform model approach to security vulnerability patching:

    • Identified security issues are addressed on a priority and severity basis

    • Cloud linux server instances are rebuilt from code as “clean” instances on each release deployment (typically fortnightly)

    • Any patches are fully tested prior to rollout

  • We use centrally-managed AWS NACLs

  • The TIQK application is customised to mitigate DDoS attacks, and OWASP rules are enabled

  • We modify default passwords on vendor services

  • We rotate passwords on all services

Internal business and operational platform protections

  • All TIQK employees and contractors use company -supplied and -managed computers featuring:

    • Cloud-based anti- virus/malware/spyware/phishing protection, reporting, and web application filtering by an industry-leading vendor

    • Mobile Device Management services supplied by Microsoft and Cisco

  • Where a TIQK employee or contractor uses a personal device (e.g. smartphone) apps that access TIQK business information on that device are protected with Mobile Device Management services supplied by Microsoft and Cisco

  • We have implemented cloud based Security & Compliance services for our business platforms:

    • Document Classification, and Records Management

    • Information Governance

    • Data Loss Prevention

    • Threat Detection and Management

    • Mail Flow, and Message Tracing

    • eDiscovery

Scalability

  • We operate an elastic micro-services based architecture with auto-scaling tuned for relevant services

  • Platform and UI speed rank highly in TIQK’s value proposition to our clients: our engineering practices are designed to ensure both are maintained

  • We conduct load testing in an isolated “Staging” environment that operates identical infrastructure to our client-facing “Production” environment to identify any performance bottlenecks and areas for autoscaling improvement

  • We monitor all services, databases, instances, certificates, application performance, and more with multiple third-party platforms that include alarms and notifications for actual and potential issues