This article will cover some commonly asked questions around data security for the Assure software.
Saasyan is committed to protecting the privacy of customers and their students' data collected via Assure.
This privacy statement applies to the data collected by Saasyan through your use of our Assure cloud-based offering (the “Service,” as further defined below); it does not apply to other online or offline Saasyan products or services.
To view the full Saasyan Privacy Policy click here.
Notice to Users:
This article is written for the organization or company (our “customers”) that contracts with Saasyan for the Assure offering.
All references to “you” or “your” in this privacy statement are to our customers. We only use Customer Data to provide the Services.
Data Encryption
To keep data secure in transit, all data is encrypted in transit using TLS. This includes the communication between the Assure Collector VM/Assure Agent and the Assure SaaS cloud.
To keep your data secure at rest, Assure encrypts each block using hardware-accelerated AES-256 as it is written to disk. This takes place at a low level in the I/O subsystem, which encrypts everything written to disk, including intermediate query results. The blocks are backed up as is, which means that backups are encrypted as well. Encryption keys are managed using AWS KMS.
User and Service Credentials
User credentials are not provisioned/stored in Saasyan Assure.
Assure solely relies on the school’s/department’s/district's IDP for authentication and authorization purposes. The protocols supported are LDAPS and SAML v2.
Application/service credentials are stored in AWS KMS and are accessible only to the microservices that require them.
FAQs
1.0 Communications and Operations Security
1.1 How is data backed up?
Data is backed up through very frequent snapshots and daily backups.
Backup data is encrypted and stored in an alternate availability zone within the AWS Sydney region.
1.2 How often are backups performed?
Data is backed up through very frequent snapshots and daily backups.
Backup RTO is sub 4h and RPO is sub 10 min.
1.3 How are data backups protected from unauthorized access?
All backup data is encrypted at rest using 256-bit encryption and the keys are managed by AWS KMS. Backup data is protected from AWS access through our least privilege access policy and two-factor authentication enforcement.
1.4 How is data transferred securely?
TLS encryption is used for data in transit and data at rest is encrypted using the AES-256 algorithm.
1.5 How is system access logged, monitored and alerted?
System access is logged on the following levels:
- Application: the application logs privileged user activity
- Authentication and authorization (both for non-privileged and privileged access) is logged.
The abovementioned logs are tamper proof and are analyzed continuously to identify suspicious activity.
1.6 Are there regular network penetration and vulnerability scans performed?
Penetration tests and vulnerability scans are conducted by a third party once a year.
2.0 Information Systems Acquisition, Development & Maintenance
2.1 What cryptographic mechanisms are used, in storage and transmission?
All data is encrypted in transit using TLS and all data is encrypted at rest using 256-bit encryption. The keys are managed using AWS KMS.
3.0 Physical Security
3.1 Are Saasyan's data centres outsourced to third parties? Where are they physically located?
Yes, Saasyan uses the AWS Sydney region to provide our SaaS services to Australian schools. The Sydney region comprises of three availability zones.
3.2 How is data centre access monitored, logged and alerted?
Saasyan's services are hosted on AWS.
Please refer to https://aws.amazon.com/compliance/data-center/controls/ for a description of the monitoring and logging controls in place.
3.3 What certifications do the data centres have?
Saasyan's services are hosted on AWS.
Please refer to https://aws.amazon.com/compliance/programs/ for the list of certifications held by AWS.
4.0 Data Assets
4.1 What data types are captured by the service/product?
a) PII
b) Financial
c) Corporate
The Assure software collects Username, Group Membership, Web Access and Traffic Logs.
(a) PII: The data we capture is of the PII type, albeit of the indirect kind.
(b) Financial: No financial data is retained.
(c) Corporate: No corporate data is retained.
5.0 Governance
5.1 What formal security policies and standards does your organization have in place?
Our formal security policies are ISO 27001 aligned and we are working on our formal certification.
6.0 Human Resource Security
6.1 Are employees and contractors required to acknowledge and accept policies?
Yes, all Saasyan employees are required to acknowledge and accept policies. This includes but is not limited to our information classification and handling policy, human resource security policy, acceptable use policy, clear desk and clear screen policy, and the change management policy.
6.2 Are employees and contractors required to sign confidentiality agreements?
Yes, all Saasyan employees are required to sign a confidentiality and intellectual property deed.
6.3 Are criminal record and/or background checks undertaken during recruitment and/or employment process?
Yes, successful candidates are required to produce the following before they are hired:
1) Police Check
2) Visa Check
3) Working with children check
If you have any further questions for our team, please don't hesitate to reach out to us at support@saasyan.com