Use space to open navigation items

Squiz Security Annex

Squiz utilises one of the following approaches for the provision of its Services;

  1. Cloud Services and data centers provided by Squiz;
  2. Cloud Services and data centers provided by Amazon;
  3. Cloud Services and data centers provided by Google.

Security information for Amazon Web Services can be found at https://aws.amazon.com/security/ and for the Google Cloud Platform at  https://cloud.google.com/security

For each of these Cloud Service approaches, Squiz employs a range of Security Measures for ensuring the ongoing confidentiality and availability of Customer Data. The Security Measures will include, but will not be limited to, the following measures:

  1. Data processing and infrastructure security
    1. Policies. Squiz maintains a comprehensive set of Information Security Policies that ensures that appropriate measures are in place to protect confidential data and systems. Policies are reviewed at least annually, with external reviews by an appropriate third party auditor.
    2. Training. Squiz staff that have privileged access to cloud or technology infrastructure are required to undertake security and privacy training, including an acknowledgement that they will adhere to the Information Security Policies.
    3. Hardening. For Squiz provided cloud infrastructure, standard industry benchmarks are used to harden servers and network devices. All Squiz Cloud network devices are hardened to industry benchmarks where applicable. Systems that host Customer Data can be optionally hardened on customer request
    4. Monitoring. Squiz Cloud services are monitored 24/7 by security checks and alerts. Squiz monitors network traffic for known attack signatures and uses analytical software to detect patterns and trends that might indicate security threats.
    5. Network Redundancy. The networks used to deliver Squiz Services are built to be redundant, with multiple pathing and failover options for traffic to the Services.
    6. Vulnerabilities. Squiz undertakes proactive monitoring of third party vulnerabilities that would impact its services and/or products. Processes and tools are in place to identify and correct known vulnerabilities based on standard industry practices.
    7. Access Control. Administrative privileges for Customer Data is restricted to Squiz staff who require this access to support and manage the Squiz Services. Squiz staff undergo appropriate training and controls are in place to effectively revoke access in the case of a security incident.
    8. Encryption. Where noted in the Documentation, Squiz encrypts data in transit using standard industry mechanisms. Encryption for data at rest is also available for some Services, depending on the deployment model and requirements of the Customer.
    9. Security Scans. Squiz commissions independent penetration tests against the Services on a bi-annual basis. Automated network scans run on a daily basis to detect anomalous network configurations, with appropriate processes to catch exceptions and undertake remediation.
    10. Physical Security. Customer Data is stored within secure data centres, with robust physical security measures, including but not limited to; 24/7 security personnel, closed circuit television cameras, identification card or biometric authentication systems, redundant power and cooling, advanced fire suppression systems.
    11. Backup and restore. Customer Data that is stored as part of the Services, is backed up on a nightly basis and replicated offsite. Squiz maintains a process that ensures the ability to restore the Customer Data in a timely manner in the event of a disaster or a significant data corruption event.
  2. Standards and audits
    1. ISO 270001:2013. Squiz undertakes an annual ISO audit and maintains full ISO 27001:2013 compliance and accreditation for support processes and Squiz data centers. Certificates of ISO compliance are available upon request.
    2. Cloud Security Alliance. Squiz has completed the CSA STAR registration and our response to the CSA security questionnaire is available online at https://cloudsecurityalliance.org/star/registry/squiz/
    3. Uptime institute Tier III. Squiz data centers conform to the Uptime Institute's Tier III classification for high availability and security. Details of the standard can be found here: https://uptimeinstitute.com/tiers
    4. PCI DSS. Where requested, Squiz can provide PCI DSS v3 compliant hosting for customers that process credit card information. PCI DSS compliance is enabled by request on a customer-by-customer basis. For clarity, Squiz itself is not PCI compliant and does not store payment card data, but can provide PCI compliant hosting for customers who require secure handoff of payment card processing.
    5. CIS Benchmarking. Squiz utilises the CIS Benchmark for hardening servers and network devices.
    6. OWASP. During the development and maintenance of Squiz products, Squiz adheres to the OWASP Top 10 risk mitigation strategies and any code found to be non-conformant is logged as a defect. Appropriate processes are in place to prioritise and remediate non-conformance
Back to the top of this page