In this post we answer many of the common questions regarding security and trust. If you require more details please contact our support desk.

Privacy

  1. Do you have a published privacy policy?
    Yes. The privacy policy can be found here.
  2. Where is the data stored?
    All data and applications are hosted within Amazon Web Services data centres in Australia.
  3. Who owns the data?
    Published data remains the property of the organisation who publishes the data. Some derived data that is created as a result of combining two or more organisations’ data has shared ownership between those organisations.
  4. Will the data we load be retained after our subscription has ended?
    At the end of your subscription any published data will be deleted from SmarterWX. By default, data will be retained through our backup and archival processes. Upon request we will endeavour to remove your data from all archives.

Data Security

  1. Is data encrypted at rest?
    Yes.
  2. Is data encrypted in transit?
    Yes. Access to data through the web interface is via SSL. For administration purposes, all access to the hosted application is through a secure VPN connection.
  3. Do you perform vulnerability assessments of your service?
    Yes. Regular vulnerability assessments are performed on our environments.
  4. Does the SmarterWX application use a firewall?
    Yes. SmarterWX sits behind the Amazon Web Services Web Application Firewall with a number of rules configured to prevent malicious access to the servers.

Physical Security

  1. How is your data centre physically secured?
    Our applications are hosted on the Amazon Web Services cloud platform within Australia. Details of the physical security can be found in this white paper.
  2. How are your administrative staff screened?
    Esri Australia performs a professional background check on all its employees prior to en employment offer being made. This checking process includes sighting visa documents, copies of qualification documents, and interviewing multiple referees for each candidate. Copies of the interview responses, and copies of the above documents are all kept on file by Esri Australia.

User Authentication

  1. What options exist for user authentication?
    An organisation can choose to use either SmarterWX Internal Authentication (username and password) or through connection to your own third-party SAML-compliant authentication services (such as Active Directory Federation Services).
  2. Can user roles for SmarterWX be controlled through our authentication service?
    Yes. Group memberships defined in a SAML compliant authentication service can be mapped to user roles in SmarterWX.

System Availability

  1. Is the data backed up on a regular basis?
    Yes. SmarterWX data is backed up on a regular basis with operational data backed up multiple times per day.
  2. As a organisation using SmarterWX can we backup our own data?
    Yes. Features exist throughout SmarterWX to allow you to export your data to geospatial data files.
  3. What approaches have been taken to ensure maximum system availability?
    SmarterWX is architected to be highly-available and with maximum redundancy. The SmarterWX application operates across multiple Amazon Web Services (AWS) data centres in Australia. SmarterWX is self-repairing where a problem is found with a single node, the system will automatically launch a completely new instance. The SmarterWX database runs in multiple data centres with live replication between sites.
    Inbound emails are received through the AWS Simple Email Service (SES) and the system is architected to separate the receipt of emails from the actual processing. This architecture ensures that emails received during any temporary planned or unplanned outage of SmarterWX are queued and will be processed in order of receipt following recovery.
    SmarterWX data is backed up on a regular basis with operational data backed up multiple times per day to allow recovery in the event of a major failure.
  4. Is SmarterWX capable of scaling up to cater for increased demand?
    Yes. SmarterWX is configured to automatically scale horizontally to meet peaks in server workload. SmarterWX is also architected to allow vertical scaling as appropriate to meet continued growth in service.
  5. Is the system actively monitored for outages and other issues?
    Yes. A number of different monitoring techniques are used to notify our system administrators of issues such as lost connectivity, increased response times and resource exhaustion.
  6. Do you notify users of planned maintenance and updates?
    SmarterWX is architected to allow on-the-fly patching and updates without the need for downtime. Our team will apply updates when they become available. If downtime is required for system maintenance, users will be notified seven days in advance.
  7. Do you notify customers of unplanned outages and other service interruptions?
    Yes. A number of monitoring techniques are used across the SmarterWX products to notify our System Administrators of interruptions to service. Following our internal triage process, customers will be notified via our Customer Support team within four business hours of any outage occurring.
    Data or configuration issues relating specifically to the customer’s data will trigger automatic emails to your organisation’s notification email address. Each customer is able to pause processing of email referrals allowing them to resolve any issues before restarting processing

Auditing

  1. Are audit logs kept of system administration tasks?
    Yes. All maintenance activities are recorded.
  2. Are audit logs kept for user activities?
    Yes. User activities such as creating, updating and deleting data are logged. An access log is kept showing all web requests.
Tagged: