This statement outlines the information management and security services for the Astute Payroll software application. The Astute Payroll General Manager is the responsible officer for Security Management.
Astute Payroll’s information management and security is certified under ISO/IEC 27001:2013. Last audit date: 29-Aug-2019.
1.1 Astute Payroll application is hosted on Amazon Web Services (Cloud).
1.2 Data is stored in S3 buckets in Australia.
2. Security Management
2.1 The connection between a user and the Application is encrypted with HTTPS 128-bit encryption using the TLS 1.2 protocol or higher.
2.2 Each customer’s data is stored in a logically separated environment.
2.3 All data in transit between hosting facilities is passed over a secure tunnel.
2.4 All long-term storage data is encrypted using no less than 2048-bit GPG.
3. Information Security
3.1 Production data is replicated between no less than two data centres.
3.2 Replication latency is monitored and protocols are in place to alert Astute to any delays. We aim to keep this under one hour at all times, but place no guarantees on this.
3.3 Backups are taken every 10 minutes, which are then stored for 24 hours
3.4 Backups are also taken every night, which are currently stored forever. Astute reserves the right to delete any of these that become excessively old and/or obsolete.
3.5 Nightly backups are sent to a separate provider in a separate geographical location (within Australia).
4.1 Astute Payroll assumes responsibility for the production, acceptance testing, and disaster recovery computing environments supporting the hosted Application. This includes the application software, related databases, supporting computing hardware and necessary operating systems.
5.1 Astute Payroll provides a service that is carefully tested against the Chrome web browser. While the service may run on other browsers, no warranty is made to that effect.
5.2 It is recognised that the customer has little or no control over the environment of their end users. To accommodate this, Astute Payroll provides employee access to the service to Internet Explorer version 8 and above, Firefox version 4 and above, as well as Chrome version 5 and above.
6. Security Testing
6.1 Astute Payroll follows best practice protocols relating to Server Configuration and access, including ensuring all software is up-to-date and key pair access controls.
6.2 Astute Payroll conducts automated penetration and security testing on all releases and on a quarterly basis with software that allows us to scan for the following types of vulnerabilities:
6.2.1 Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
6.2.2 Misconfiguration (eg open mail relay, missing patches, etc).
6.2.3 Default passwords, a few common passwords, and blank/absent passwords on some system accounts.
6.2.4 Denials of service against the TCP/IP stack by using malformed packets.
7. Personnel Management
7.1 All Astute Payroll employees are required to pass a National Police Clearance and Bankruptcy check prior to commencement.
7.2 Astute Payroll conducts internal audits for security awareness and effectiveness.
7.3 Access management is controlled by the General Manager.
8. Not Covered
8.1 The end user is responsible for providing adequate internal network infrastructure so as not to affect Astute Payroll’s ability to deliver the service and meet performance metrics.
8.2 The end user is responsible for the provision, support, maintenance, and monitoring of their hardware, network, operating system, installed software, dedicated LAN, and/or WAN. Astute Payroll bears no responsibility for performance and availability problems on networks outside their control
Alteration to Statement
Astute Payroll reserves the right to modify the service they provide at any time without notice on the condition that the modified service does not fall below the service stated in this document. This includes infrastructure, security, information security, reliability and accessibility.