Security Policy
LAST UPDATED: 24 May 2018
This Security Policy applies to the products, services, websites and apps offered by PracticeFive P/L and their affiliates (collectively “PracticeFive”), which are branded as “PracticeFive”, SurveyMaster and SurveyMaster360 except where otherwise noted. We refer to those products, services, websites and apps collectively as the “services” in this Statement. This Security Statement also forms part of the user agreements for PracticeFive and SurveyMaster360 customers.
PracticeFive values the trust that our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure your information seriously and strive for complete transparency around our security practices detailed below. Our Privacy Policy also further details the ways we handle your data.
Physical Security
PracticeFive’s information systems and technical infrastructure are hosted within the world-class, Amazon’s EC2 accredited data centres. Physical security controls at the data centres include 24×7 monitoring, cameras, visitor logs, and entry requirements.
Compliance
PracticeFive sites are compliant with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2) and can, therefore, accept or process credit card information securely by these standards. PracticeFive re-certifies this compliance annually.
Access Control
Access to PracticeFive’s technology resources is only permitted through secure connectivity (e.g., VPN, SSH) and requires multi-factor authentication. Our production password policy requires complexity, and lockout and disallows reuse. PracticeFive grants access on a need to know on the basis of least privilege rules reviews permissions quarterly and revoke access immediately after employee termination.
Security Policies
PracticeFive maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training.
Personnel
PracticeFive conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). Also, PracticeFive communicates its information security policies to all personnel (who must acknowledge this) and requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.
Dedicated Security Personnel
PracticeFive also uses a dedicated Trust & Security organisation, which focuses on application, network, and system security. This team is also responsible for security compliance, education, and incident response.
Vulnerability Management and Penetration Tests
PracticeFive maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.
We also conduct regular internal and external penetration tests and remediate according to severity for any results found.
Encryption
We encrypt your data in transit using secure TLS cryptographic protocols. PracticeFive data is also encrypted at rest.
Development
Our development team employs secure coding techniques and best practices, focused on the OWASP Top Ten. Developers are formally trained in secure web application development practices upon hire and annually.
Development, testing, and production environments are separated. All changes are peer-reviewed and logged for performance, audit, and forensic purposes before deployment into the production environment.
Information Security Incident Management
PracticeFive maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are regularly reviewed and tested bi-annually.
Breach Notification
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if PracticeFive learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers with all information necessary for them to meet their regulatory reporting obligations.
Information Security Aspects of Business Continuity Management
PracticeFive’s databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are encrypted and stored in the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability.
Your Responsibilities
Keeping your data secure also requires that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems. We offer TLS to secure the transmission of survey responses, but you are responsible for ensuring that your surveys are configured to use that feature where appropriate.
Logging and Monitoring
Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorised PracticeFive personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.