FAQ

Question

Answer

Where is the application service hosted?

Amazon Web Services – Tier 1 Data Centres

Europe

• Primary Site – London, United Kingdom

• Secondary DR Site – London, United Kingdom

APAC

• Primary Site – Sydney, Australia

• Secondary DR Site – Sydney, Australia

Physical location of these data centre is not published or publicly provided by Amazon.

Is the building alarmed?

Please see the below links for AWS power and security details:

https://aws.amazon.com/about-aws/global-infrastructure/

Is it monitored with CCTV?

Is your data centre a manned/unmanned operation?

Does the site have an electronic access control system?

Are your systems protected by a backup power supply?

In the event of a power failure, how long can your systems run on the backup power supply?

Question

Answer

Do you have an Intruder Detection System (IDS) installed on your network?

Yes

Do you have resilient/redundant Internet connections?

Yes

If so, how do you achieve the level of resilience?

BGP (Border Gateway Protocol)

If your resilience in the form of diverse physical connections, please give details of how they are routed. Please include information such as how the physical connections are routed out of the building, whether they connect to separate exchanges, whether you use different ISPs etc.

We have multiple ISP providers who in turn use multiple network exchanges to ensure resilience.

Our facility is connected to the power grid from multiple points as well as having generator power backups. Network connectivity is provided to our facility via multiple physical connections via different physical risers in the building.

We also have a second data centre which would be used to host the service should we suffer a complete loss of the primary site. There would be a recovery window required in this event.

Is access to core network equipment restricted to key personnel?

Yes

Are all changes to the configuration of core network equipment managed by a change--‐management process?

Yes

Are firmware upgrades/patches for network equipment tested before live deployment?

Yes

If so, to what extent are the patches tested: basic network operation or full testing of the application?

Full application testing

Do you have staff who work remotely?

If so, please describe the method by which they connect to your core network for example BeamYourScreen, Business Broadband etc., and how you prevent this method being used to provide unauthorised access to your network.

No direct external access is permitted to the application network

Question

Answer

Do you restrict physical access to your servers to key personnel?

Yes

How soon after an operating system patch is released do you apply it to your servers?

Planned maintenance is planned based on a monthly scheduled ;

• APAC – Last Saturday of the month from 11pm-1am AEST.

• Europe– Last Monday of the month from 11pm-1am GMT.

Notification of planned maintenance is provide with 7 days’ notice and is advised via Status Page email notification and also in product on the dashboard.

For all critical emergency/patches FastTrack will take every effort to provide as much notice as possible. Notification will be provided and is advised via Status Page/email notification and also in product on the dashboard.

Are operating system patches and upgrades under the control of change management?

Yes

Do you test all operating system patches and upgrades prior to live deployment?

Yes

If so, to what extent are the patches tested, just the impact on the operating system or full testing of the application?

Environment & Application testing

Do you run an anti-virus product on your servers?

Yes

What standards does the hosting facility meet?

Tier III Uptime Institute standards, ISO 27001

• Compliance: https://aws.amazon.com/compliance/.

• Security: https://aws.amazon.com/security/

Question

Answer

How often are your servers backed up?

Database Servers:

• Always On setup between multiple primary servers

• Every 5 minutes transaction log backup.

• Full back-up daily

All other Servers:

• All other servers replicated in real time to standby servers.

• Nightly backups are taken of all servers, then shipped off to a tertiary datacentre located in Melbourne

Are the backups full file system backups or a combination of full and incremental?

A combination of both full and incremental backups.

In the event of the loss of a file/database, how quickly can you restore from a backup?

File restoration process will take up to 5 minutes from the beginning of the process.
Database restores vary dependant on the level of “loss”. It could be between 5-30 minutes.

How often do you test restoration of files?

Backup restoration process is tested 3 monthly.

In the event of a server failure, how quickly can you restore the service onto new hardware?

All servers have a redundant server within the active site. Should a server fail, all services will be taken up by the redundant server.

How often do you test server recovery?

No set schedule

Do you have a recovery procedure for the total loss of your data centre?

If there is a full failure at the primary site, then DR plan will be initiated where the secondary site will be enabled, and failover of all services will occur. For timeframes please see DR plan section.

Question

Answer

Has the application been built to an established design pattern (e.g. MVC, JavaBlueprints, etc.)?

Yes

Are revisions to the code controlled using version control software (e.g. PVCS, SVN, and Visual Source Safe)?

Yes

Do you use issue tracking software such as TFS?

Yes, we utilise Atlassian’s JIRA

If yes to both the above questions, are the two linked so that the fixing of issues can be tracked easily to specific versions of the code?

Yes

What is your testing strategy for the application, i.e. do you perform a full test of all the functionality on a new release or just test those areas where the code has been changed?

Depends on the nature of the change, for minor releases all potentially affected areas are tested, but not the entire application. We also encourage the development of automated tests within the build process.

What design steps have you taken to ensure that your application is immune from attacks such as SQL Injections and Cross Site Scripting?

We follow OWASP principles and also use an external agency to verify the integrity of the system.

Has your application been tested to show it is immune to such attacks?

Yes

If so, did you perform the test, or did you make use of the services of a third-party testing company?

External specialist company

How often is your application tested for vulnerabilities?

At the end of each major release or every 6 months.

Do you have multiple customers on a single frontend and server, or do you have servers dedicated to each customer?

It’s a multi-tenanted infrastructure where each client is on a separate individual instance of the product for isolation and security

What controls do you have in place to ensure that copies of the application code, either electronic, hardcopy, are not accessible to unauthorised staff.

Only Authorised staff have access to the application code.

Do you have a single database for all customers?

No

Do you have a data retention policy?

At this time all data is retained

If so, how long do you keep data for?

The term of the LSA

Do you have automated procedures in place to cleanse data which has expired with regards the data retention policy?

No

Where do you host your data?

Within multiple geographical locations in Australia with Amazon Web Services.

Do you ensure that all confidential data sent to customers is encrypted?

Yes

What standard of encryption do you use?

SSL