Where is application data stored?
Application data is hosted in an Amazon data centre in Australia while the database is hosted by another cloud provider called Object Rocket, also in Australia. The database is encrypted at rest and all communications between the application and the database are encrypted via SSL.
Other arrangements are made as required for our international customers.
Where are my document attachments stored?
Documents are stored in an Amazon data centre in Sydney. Documents are stored in highly redundant storage in the amazon S3 file system and encrypted at rest.
Yarris has no physical hardware, therefore data destruction is accomplished by deleting the database.
What is Dazychain’s data retention policy upon account termination?
Our policy is to retain customer data for the period requested by the customer, usually one month. After that time period, the data is deleted. Alternative arrangements can be made on an ad hoc basis if requested by the customer.
Application, Server and Network protection
Our application stack runs on AWS, fully utilising the multi availability zones for High Availability and redundancy. The application sits behind Elastic Load Balancers. We also make full use of AWS Shield to combat denial of service attacks. The application is tightly controlled during high load scenarios, with new instances created as required to combat the load.
Segregation of data
Segregation of the data is fully supported, tenant aware and no user company can view another’s information unless permission had been provided, such as in the case when companies are collaborating together.
Who has access to the Dazychain system, both remotely and physically?
Yarris engineers and system administrators have access to Dazychain on an as required basis. Yarris makes use of cloud services to host our databases and application servers, as such we have no physical access or data stored on premises.
What level of auditing is maintained on who accesses our data?
The system retains a complete history of access to the system, including each data change on business entities such as matters and deliverables.
Do you use generic administrator accounts to administer and maintain the system and if so, who has the user-ids and passwords?
No, we do not use generic administrator accounts. System updates happen through a controlled release process. A senior engineer in charge of technical services can view user-ids only as passwords are encrypted.
How do you manage changes and updates to the system? How much notice is given prior to an operating system or application update?
Release notes are delivered by email to the specified Organisational Administrator and users one week prior to a release. Releases are generally notified at least one week ahead of the release date.
How often is the data backed up and where are the backups stored?
The cloud providers hosting our databases and file systems make regular nightly backups.
Do you have a Disaster Recovery plan?
Yarris makes use of cloud services to host our applications and databases. Yarris makes full use of AWS multi-availability zones which act as our Disaster Recovery and High Availability. Our providers implement Disaster Recovery plans on behalf of hosted services such as ours. We also have a fully developed Disaster Recovery and Business Continuity Program. AWS meets applicable certifications, including ISO27001, ISO27018, FedRAMP, SOC 1, SOC 2, for more information please see https://aws.amazon.com/compliance/.
Is there an audit log?
We confirm we log all changes to data in the Dazychain audit log.
What infrastructure status reporting is in place?
We use standard AWS infrastructure reporting.
Are you GDPR compliant?
We are GDPR compliant. We do collect and maintain a very limited amount of personal data, none of which is monetised.
What is your data retention process and encryption strength at rest?
- Encryption - aes-256
- Backup retention - two weeks
S3 (Document store):
- Encryption - aes-256
- Backup retention - unlimited. Managed by aws - documents stored in highly redundant storage.
Do you share data with 3rd parties?
Dazychain does not share data. Users may choose to share data with external lawyers if they wish.
Do you conduct penetration tests?
Penetration tests are performed quarterly.
Does Dazychain have IAM / AD integration / MFA capabilities on the platform?
No IAM / AD integration presently. This is on the roadmap for 2018- 19 FY. MFA is also on the roadmap for 2018- 19 FY. We can accelerate these roadmap items if required at standard consulting rates.
Can we delete documents from a workspace?
How do you protect stored information from malware?
We use AWS AMI which is patched regularly against malware attacks. We also use Amazon Cloudfront for protection against DDoS attacks. Yarris turns on s3 scanning by third party virus scanner before you commence the project.
What type of Security Incident Event Monitoring (SIEM)do you use?
We use Cloudfront which gives us protection from DDos attacks. We are automatically covered with standard AWS Shield. We have active monitoring in place from AWS - Network Flow Monitoring. As part of AWS Shield standard we are also protected against any DDos attacks.