Suite 203, 276 Pitt St, Sydney, NSW, 2000, Australia

Security Policy

Overview

Zapdat is hosted through a secure world class data centre (Amazon Web Services) across multiple zones which are located locally in Australia. Our data centre partner provides power, network, security and backup services.

  • Secure transmission protocols for transfer of file data and metadata are encrypted. (https)
  • Organisations have unique and private access URL’s for clients
  • Client access can only be obtained through valid login details on a corresponding valid URL
  • Login access for all users is self-managed ensuring privacy of login details
  • Zapdat support staff have no access to organisation portals
  • Data and files cannot be publicly accessed nor are publicly searchable via standard web protocols
Data Storage

Data (such as user uploads, application static files) are stored securely and encrypted at rest. Data is hosted on fault tolerant servers replicated across multiple data centres to achieve the highest level of physical protection to data whilst also designed exceed an uptime of 99.985%. Link access to any files generated by Zapdat expire after a period of time.

Organisation Data is partitioned within Amazon s3 and within partitioned schemas of the Postgres database protecting data from hardware failure, equipment theft and natural disaster. Data backups occur on regular short intervals.

Network Security

All communication with the platform via the web application is done over HTTPS, which encrypts all communications. Network security aims to protect data and privacy from compromising via any unauthorised electronic intrusion. All data and files hosted by Zapdat are encrypted with a sophisticated state-of-the-art algorithm. This ensures the data is only accessible by the intended users who have gained access via authorised access.

The application is deployed into its own VPC (virtual private cloud). This VPC contains firewalled private subnets, so that internal services (such as database and application servers) are not directly accessible from the internet. Security Groups and Access Control Lists are in place to port exposure and to expose each port to the right services. There is no FTP access to Zapdat hosts, no directory browsing without security protocols and no user or guest access to the servers operating system.

Zapdat utilises mail servers that implement end-to-end email with S/MIME and encrypt all data in transit through TLS.

Password Management

Users are responsible for maintaining their own logins and passwords. Organisations do not get involved in maintaining their client’s logins and Zapdat does not get involved in maintaining organisation or client logins. This saves administrative time and secures the privacy of the login for both the organisation and their clients. Reset password functions require users to access associated email addresses and to click on a verification link to proceed with the password reset process.

Passwords are stored and encrypted using complex hashing algorithms. This means that if an attacker were to access the password list, they would not be able to translate the data into usable passwords.

People and access

Within Zapdat, only authorised Zapdat engineers have access to application data. Authentication is done via revocable authentication tokens generated when a user logs in with the correct username and password. Zapdat is designed to allow application data to be accessible only with appropriate credentials, such that one user cannot access another users’ data without explicit knowledge of that other users’ login information. Customers are responsible for maintaining the security of their own login information.

Zapdat support staff do not have login access to organisation portals and are not able to view any user files. Each organisation portal has its own private unique URL and user files are only accessible by users with valid logins to a valid URL.