a) Data transmission between your web browser and TIQK's cloud platform
- The connection between you and TIQK is always encrypted with industry-standard Secure Sockets Layer (SSL) technology. All information that goes between you and TIQK can only be read by your computer and our servers.
- We also employ Transport Layer Security (TLS) version 1.2. This is designed to protect against eavesdropping, tampering, and message forgery.
- When using our website you can verify this by clicking the padlock icon next to the website address in your web browser:
You can view an up-to-date and independent report of TIQK's SSL implementation by testing our website address at the third-party service: SSLLabs.com
b) Data transmission between component parts of our cloud platform
All transmission of data within our cloud platform - e.g. between databases and other parts of our system - is fully encrypted.
c) Data "at rest"
All files (and all system-generated representations of those files) uploaded by clients are fully encrypted when physically stored on our platform.
- We enforce strong passwords (mix of alphanumeric and cases, symbols, minimum password length).
- Your password is not stored as clear-text in our systems. We store a hash of the password which cannot be converted back into your actual password.
AWS certification and compliance information can be found at aws.amazon.com/compliance; Azure compliance information can be found at https://www.microsoft.com/en-us/TrustCenter/Compliance/
- All client documents and account information related to the primary function of the TIQK platform ("platform data") that are uploaded and processed on the TIQK platform remains resident in the AWS Asia Pacific - Sydney Region (ap-southeast-2) and Azure Australia South-East or Australia East Regions at all times.
- This includes all platform data backups (see Data backups, below)
Non-platform data residency
Other non-platform data related to client accounts may be stored and processed by our third-party service providers inside and outside of Australia. These include:
- Technical support and service enquiry management: Intercom (Americas)
- Subscription account information and management: Zuora (Americas)
- Credit card payment processing: Stripe (Americas, Australia)
- Anonymised website visitor analytics: Google Analytics (Americas)
- Email mailing list management, if you opt-in: SendGrid (Americas)
- General email communication and any non-platform data document sharing with TIQK; client implementation project management: Microsoft Office365 (Australia data region)
- Account management / customer relationship management data: Salesforce.com (Americas)
Intellectual property ownership
You retain ownership of any information that you upload to our servers when using the TIQK service. See our Terms & Conditions for more information.
Data sharing and privacy
- Uploaded client documents and audit results are not shared by TIQK with any third party without your express permission.
- Account data such as information related to subscription, billing, email addresses for opt-in mailing list membership, and project / implementation related data, may be shared with and stored on third-party platforms in order to provide the service - see "Non-platform data residency" above.
- All files uploaded by clients are regularly backed up on redundant, isolated infrastructure in the AWS Asia Pacific - Sydney Region (ap-southeast-2). TIQK's backup infrastructure operates under the same security controls as TIQK's primary cloud infrastructure.
- TIQK backups are primarily designed to support disaster recovery / business continuity operations. This means that clients should not rely on TIQK backups to, for example, restore files that they have accidentally deleted from their TIQK account. This is because files deleted by clients are automatically deleted from TIQK's backup infrastructure after a period of time. However, TIQK may be able to assist with file restores for a limited period of time after an accidental deletion - contact the TIQK Customer Success team for more information.
Data retention on termination
- If a client ends their agreement with TIQK and terminates their TIQK service the client's platform data is immediately removed from TIQK's live systems. TIQK may retain up to a maximum of seven (7) days of backups of platform data. After the backup period of time has passed, the client's platform data is automatically deleted and is no longer accessible to the client, TIQK systems, or on backup media.
- In some circumstances, TIQK may offer clients with specific data retention policies an alternative data retention on termination period. Contact the TIQK Customer Success team for more information.
Data access for regulatory authorities and law enforcement
To the extent that we are bound by law to provide such information TIQK will comply with these requests.
Data breach / security incident policy
- TIQK has a duty of care. If a data breach occurs, we must notify affected clients immediately.
- TIQK has implemented an ITIL-defined Data Breach Response policy that clearly defines a breach; staff roles and responsibilities; standards and metrics (including prioritisation); and reporting, remediation, and feedback mechanisms.
The TIQK platform performs comprehensive activity auditing/logging for:
- Account creation, verification, updates, and deletions
- Team and User management
- Document uploads and deletions
- Document audits, audit results, and audit result deletions
- Subscription management
Subscription, billing, and credit card security
TIQK customer subscription accounts are managed by Zuora (zuora.com), a globally-recognised leader in online subscription management services.
- See: Zuora Policies
Credit card processing for TIQK subscriptions are managed by Stripe (stripe.com), a globally-recognised leader in online and mobile payment services.
- Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1, the most stringent level of certification available in the payments industry.
- See: Security at Stripe
- Adopted OWASP Application Security policies and instituted relevant ITIL v3 policies and procedures including Access Management, Information Security Management, Physical Access Control, Acceptable Encryption, Clean Desk, Password construction and usage, Remote Access, and Web Application Security
- Developer access to source code is limited and protected with multiple security layers
- Conducts automated checks for known security vulnerabilities in third-party components
- Controls in place to prevent common malicious input techniques
- Physically segregated lifecycle environments (Development, Test, Production, etc.) with VPN access protections
- Modified and rotates all default passwords on any vendor supplied service
- Formal architecture review process prior to application and systems build or modification.
TIQK employs multiple layers of security controls and processes based on the globally recognised Information Technology Infrastructure Library (ITIL) policies to protect our client data and infrastructure. These include but are not limited to;
- Local and Network Firewalls
- Web Application Firewalls
- Intrusion Detection & Prevention Systems
- Multi-layer Anti-Virus, Anti-Spyware, Anti-Phishing, and Anti-Malware protection on all company devices, cloud infrastructure, and messaging services
- DDoS Risk Reduction Services
- Network Access Control Lists
- Security Patch Management
- Identity and Access Management
- Secure Key Management
- Centralised Log Management, Reporting, and Analysis
- Symmetric and Asymmetric Encryption systems
- Strong password creation and management policies, including mandatory periodic password renewals
- Two Factor Authentication for all employees
- The use of globally-recognised password "vault" services that provide controlled and highly-secure access to critical security information such as passwords, keys, tokens and more to only those employees that require them
- Data Loss Prevention
- Regular Vulnerability Assessments
- Anomaly Detection
- Remote Monitoring & Alerting
- VPN -only access to operational systems
- Clean Desk Policy for all employees
- Physical Access Control to offices and equipment
Independent security audits
In August 2017 TIQK commissioned an independent system and web security specialist company to perform the following services:
- Security architecture review
- Web services penetration testing
- Web application and external infrastructure penetration testing
At our sole discretion TIQK is able to share the results of these audits, and any subsequent actions taken as a result of any recommendations arising from these audit.
TIQK operational strategy includes ongoing periodic internal and external security audits.
Employee Training and Vetting
- Information security and data privacy requirements are documented and communicated to all employees who have the responsibility for platform and data design, implementation, and management.
- All employees and contractors who have access to TIQK infrastructure and data must go through an extensive vetting process operated by a qualified third-party organisation, which may include police background checks.
- All employees and contractors are required to take relevant privacy training during onboarding; on-demand; and when joining a team that has direct access to client data.
- All employees and contractors sign non-disclosure terms that include client information.
TIQK platform data is is backed up multiple times daily, weekly and monthly.
TIQK has implemented a formal, company-wide, Board-sponsored Risk Management Framework. TIQK's Risk Management Committee manages the Risk Register (including technical and data risks) and avoidance and mitigation actions periodically to the Board.
The TIQK platform is monitored 24hours a day, 7 days a week, 365 days a year. Clients can view availability reports, maintenance information, and performance statistics at any time on the System Status site.
Reporting a security issue
If you believe you’ve found a security issue, or if you believe client information has become publicly available outside our platform, please let us know: