Optimal security, privacy and performance
TechnologyOne’s customers benefit from the superior security we build at every level of our leading-edge enterprise Software as a Service (SaaS) solution.
We invest approximately 20% of our revenue each year into R&D, ensuring our procedures are world-class, effective and measurable. Our philosophy is to achieve security, privacy and performance from the earliest point in the development process.
Highest level certifications and accreditations
To maintain the highest level certifications and accreditations as outlined below, we integrate and maintain the latest in innovative security and privacy technologies. Regardless of the TechnologyOne solution or product/service you are using, as a TechnologyOne SaaS customer, you are protected by our multi-tiered security measures and accredited procedures.
ISO/IEC 27001
ISO/IEC 27017
ISO/IEC 27018
ISAE 3402 SOC 1
AT 101 SOC 2
IRAP
IRAP*
GDPR
GDPR
A specification for an information security management system (ISMS).
An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
TechnologyOne acquired this in 2011 to create a global policy framework that enabled us to include security as part of the design process.
It demonstrates that we are following international best practice to mitigate threats.
A cloud computing code of practice for information security.
This code of practice provides recommendations to assist with the implementation of cloud-specific information security controls.
TechnologyOne acquired this in 2016 to align our processes and controls with cloud specific providers.
It confirms for customers that we have adopted international best practice surrounding cloud specific threats and risks.
A code of practice for protection of personal information in the cloud.
TechnologyOne acquired this in 2016 to demonstrate to customers that we protect their personal identifiable information.
Our alignment with this internationally recognised code of practice demonstrates our commitment to the privacy and protection of customer information.
It demonstrates to our customers that we have a system of controls in place that specifically address the privacy protection of their content.
An assurance standard, designed to demonstrate that adequate internal controls are in place from a financial perspective. It supersedes SAS70.
TechnologyOne acquired this standard in 2012 as one that auditors of customers could rely upon, and that allowed us to streamline our operations.
This report assists the financial auditors of our customers to determine the robustness of their financial data stored in the TechnologyOne SaaS solution.
Existing SaaS customers of TechnologyOne are entitled to request the ISAE 3402 SOC 1 audit report*.
This report can be requested by sending a formal email request to the SaaS Compliance email: saas_compliance@technologyonecorp.com
*Restrictions apply, email SaaS Compliance for further information
An assurance standard, designed to prove that adequate internal IT controls exist. It relates to: security, availability, privacy, confidentiality and processing integrity.
TechnologyOne acquired this standard in 2017 to satisfy customer need for information and evidence on auto-scaling, security practices and the operational process for the TechnologyOne SaaS solution.
This standard demonstrates to customers that security practices are in place to: promote security and prevent unauthorised access, ensure system availability, enable processing integrity, protect confidentiality and protect privacy.
Existing SaaS customers of TechnologyOne are entitled to request the AT 101 SOC 2 audit reports*.
This report can be requested by sending a formal email request to the SaaS Compliance email: saas_compliance@technologyonecorp.com
*Restrictions apply, email SaaS Compliance for further information
IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments.
TechnologyOne sought this as a response to feedback from our Australian federal government customers, who indicated that this is an important part of their risk assessment process when considering cloud services.
TechnologyOne has completed SOA, Stage 1 audit, Stage 2 audit and has been recommended for certification in 2017 following an independent audit, performed by an accredited IRAP auditor. The level of certification we have been recommended for is: Unclassified DLM up to and including Sensitive.
Certification is achieved after ASD has performed a review of compliance, compensating controls, threats at the time of assessment and may recommend the introduction of additional security controls.
ASD is the certification authority for inclusion on the Certified Cloud Services List. There is no established timeframe or process that defines the steps that are followed after being recommended for certification and receiving certification.
This demonstrates to customers that the TechnologyOne SaaS solution has been assessed for the implementation, appropriateness and effectiveness of our security controls.
* Full certification is pending. Please refer to full details above.
The EU’s General Data Protection Regulation (GDPR) became effective on the 25th May 2018.
The GDPR is an EU regulation targeted at harmonising the hugely varied data protection laws across Europe.
The UK Government is currently reviewing the latest generation of Data Protection Laws that build on top of and extends the GDPR. The UK's third generation of data protection law has now received the Royal Assent and its main provisions commenced on 25 May 2018.
Shared Responsibilities for GDPR
The two main parties identified within the GDPR regulations are:
- Data Controllers - “A controller is the entity that determines the purposes, conditions, and means of the processing of personal data”
- Data Processor - “the processor is an entity which processes personal data on behalf of the controller.”
Both parties have responsibilities in maintaining the security and privacy of Personally Identifiable Information (PII).
TechnologyOne as Data Processor
In delivering our SaaS service to our customers, TechnologyOne has a built a class leading security and compliance program that is designed to provide customers with a high level of surety that their Security and Privacy needs are in good hands.
TechnologyOne audit reports and other materials are available for customers to request and use to meet their own compliance obligations. This compliance program is continually updated as additional guidelines or amendments to existing standards are released. Some of the key areas as they relate to GDPR are described below.
Security: TechnologyOne has developed a security framework that passes the highest levels of external verification, testing and scrutiny. There is a continual program of testing and audit by external third parties to verify the security of the system along with the integrity of the people and processes that manage that system.
Privacy: TechnologyOne has a robust Privacy and Security incident handling plan for the handling of issues related to Security or Privacy breaches and concerns. This handles all required notifications and communication with required regulatory bodies and has the customer (Data Controller) at the centre of process to ensure the fastest, most rigorous and least disruptive handling of reported incidents.
Continuous Improvement: The legislative landscape is shifting substantially with regard to privacy and is being updated regularly with country specific requirements. The TechnologyOne Compliance Program ensures that all changes and new requirements are incorporated in a timely manner. This is underpinned by a continual program or Privacy Impact Assessments (PIA) across all aspects of the Data Processor offering to our customers.
Customer as Data Controller
As well as leveraging the compliance capabilities TechnologyOne has as a Data Processor, Customers, (as Data Controllers) are able to utilise a range of capabilities and functions to meet their Data Controller obligations’:
Authentication and Access rights: TechnologyOne offers a suite of capabilities to help customers comply with the management of access rights under the GDPR. Data Controllers are able to manage and control their users’ access to the application and the data they are able to access once logged in. A key component of this is the implementation of role-based access along with the Data Controller determining and configuring their preferred authentication platform.
Data Subject rights: TechnologyOne offers a number of mechanisms by which the Data Controller can meet their GDPR obligations as it relates to data subject, such as ‘access, ‘rectification’, ‘erasure’, ‘portability’ etc.
TechnologyOne is committed to complying with the GDPR and all applicable privacy and data protection laws and regulations in its operations and delivery of services to its customers. We are also committed to supporting and assisting our customers to meet their GDPR and privacy obligations.
TechnologyOne has implemented a compliance program with assistance from external advisers to meet the "processor" obligations as described under the GDPR.
TechnologyOne has provided a GDPR Product Assistance paper that aims to assist our customers to comply with their obligations. This paper is available to customers on request by emailing privacy@technologyonecorp.com.
We note that there are currently no approved certification bodies that would provide external assurance that we comply with GDPR, as per the ICO's website. However, TechnologyOne will continue to monitor this.
Exceptional user experience
The user experience for our customers is our priority, that’s why we adopt world-leading standards across our software. To protect our customers against security threats, data breaches and to prevent unauthorised access to customer data, TechnologyOne maintains a formal and comprehensive security program.
Unique approach to isolated data storage
The TechnologyOne SaaS solution is unique in its approach to data management. We deliver multi-tenanted SaaS and isolate each customer’s data in a separate, dedicated database per customer. This isolation provides far superior security to a shared database that combines data from many customers into a single database. Multi-tenanted software provides economies of scale, enabling customers to share one version of software globally, gain immediate access to the latest enhancements as they become available, without having to compromise on data security. These controls are in addition to the rich, logical security model in the application itself, which is personalised for each customer during implementation, and updated by our customers as their business changes over time.
Encryption of data in transit
Users access TechnologyOne SaaS via the internet, protected by Transport Layer Security (TLS) 1.0 and above. This secures network traffic from passive eavesdropping, active tampering and the forgery of network messages.
Defence mechanisms
TechnologyOne has implemented proactive security measures such as perimeter defence and network intrusion detection and prevention systems, together with anomaly detections algorithms that alert team members. We also utilise a number of confidential countermeasures designed to protect our customers, and protect our service in general.
Robust testing
Vulnerability assessments and penetration testing of the TechnologyOne SaaS solution are evaluated and conducted on a regular basis by both TechnologyOne team members and trusted external third-party vendors. These vulnerability assessments are in addition to the secure coding practices, static code analysis and security reviews undertaken with our enterprise software.
Backup and replication of data
In a Cloud first, Mobile first world, we have rethought the traditional approach to backups. TechnologyOne SaaS architecture is active/active by design, which means that all data is synchronously stored in multiple locations, across multiple data centres, automatically. This approach challenges most existing procedures that revolve around backups, tape archives and expensive customer-adopted processes.
A full backup is taken weekly and stored in multiple locations across four physically isolated data centres. Database backups and transaction logs are implemented so that a database may be recovered with the loss of as few committed transactions as is commercially practicable. To ensure that we can offer the lowest recovery point objective (RPO) in the industry, we perform snapshots every 15 minutes to minimise the potential for data loss in the event of failure. Backups of the database and transaction logs are encrypted for any database which contains customer data.
Single sign-on support
Security Assertion Markup Language (SAML) is supported by the TechnologyOne SaaS solution and enables an enterprise single sign-on (SSO) environment. SAML provides a seamless, single sign-on experience between the customer’s internet connection and TechnologyOne SaaS, which incorporates the existing identity framework already in use.
Authorisation controls
TechnologyOne software enforces role-based security for authorisation. Role-based security allows customers to grant or restrict user access to functionality, business processes, reports and data.
System-to-system integration
System-to-system integration is via public web service invocations or Reports as a Service (RaaS). All of these system invocations are controlled by TechnologyOne software-based authorisations and security.
Privacy
TechnologyOne recognises the importance of the performance of online technology and how personal information is collected, stored, used and disclosed. TechnologyOne is bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) set out in the Privacy Act, and understands the importance people place on their personal information. At TechnologyOne, we are committed to ensuring that all information collected by us is treated with the appropriate degree of privacy and confidentiality. For full details, refer to our privacy policy.