Optimal security, privacy and performance
TechnologyOne’s customers benefit from the superior security we build at every level of our leading-edge enterprise Software as a Service (SaaS) solution.
We invest approximately 20% of our revenue each year into R&D, ensuring our procedures are world-class, effective and measurable. Our philosophy is to achieve security, privacy and performance from the earliest point in the development process.
Highest level certifications and accreditations
To maintain the highest level certifications and accreditations as outlined below, we integrate and maintain the latest in innovative security and privacy technologies. Regardless of the TechnologyOne solution or product/service you are using, as a TechnologyOne SaaS customer, you are protected by our multi-tiered security measures and accredited procedures.
ISAE 3402 SOC 1
AT 101 SOC 2
A specification for an information security management system (ISMS).
An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
TechnologyOne acquired this in 2011 to create a global policy framework that enabled us to include security as part of the design process.
It demonstrates that we are following international best practice to mitigate threats.
A cloud computing code of practice for information security.
This code of practice provides recommendations to assist with the implementation of cloud-specific information security controls.
TechnologyOne acquired this in 2016 to align our processes and controls with cloud specific providers.
It confirms for customers that we have adopted international best practice surrounding cloud specific threats and risks.
A code of practice for protection of personal information in the cloud.
TechnologyOne acquired this in 2016 to demonstrate to customers that we protect their personal identifiable information.
Our alignment with this internationally recognised code of practice demonstrates our commitment to the privacy and protection of customer information.
It demonstrates to our customers that we have a system of controls in place that specifically address the privacy protection of their content.
An assurance standard, designed to demonstrate that adequate internal controls are in place from a financial perspective. It supersedes SAS70.
TechnologyOne acquired this standard in 2012 as one that auditors of customers could rely upon, and that allowed us to streamline our operations.
This report assists the financial auditors of our customers to determine the robustness of their financial data stored in the TechnologyOne SaaS solution.
An assurance standard, designed to prove that adequate internal IT controls exist. It relates to: security, availability, privacy, confidentiality and processing integrity.
TechnologyOne acquired this standard in 2017 to satisfy customer need for information and evidence on auto-scaling, security practices and the operational process for the TechnologyOne SaaS solution.
This standard demonstrates to customers that security practices are in place to: promote security and prevent unauthorised access, ensure system availability, enable processing integrity, protect confidentiality and protect privacy.
IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments.
TechnologyOne sought this as a response to feedback from our Australian federal government customers, who indicated that this is an important part of their risk assessment process when considering cloud services.
TechnologyOne has completed SOA, Stage 1 audit, Stage 2 audit and has been recommended for certification in 2017 following an independent audit, performed by an accredited IRAP auditor. The level of certification we have been recommended for is: Unclassified DLM up to and including Sensitive.
Certification is achieved after ASD has performed a review of compliance, compensating controls, threats at the time of assessment and may recommend the introduction of additional security controls.
ASD is the certification authority for inclusion on the Certified Cloud Services List. There is no established timeframe or process that defines the steps that are followed after being recommended for certification and receiving certification.
This demonstrates to customers that the TechnologyOne SaaS solution has been assessed for the implementation, appropriateness and effectiveness of our security controls.
* Full certification is pending. Please refer to full details above.
Exceptional user experience
The user experience for our customers is our priority, that’s why we adopt world-leading standards across our software. To protect our customers against security threats, data breaches and to prevent unauthorised access to customer data, TechnologyOne maintains a formal and comprehensive security program.
Unique approach to isolated data storage
The TechnologyOne SaaS solution is unique in its approach to data management. We deliver multi-tenanted SaaS and isolate each customer’s data in a separate, dedicated database per customer. This isolation provides far superior security to a shared database that combines data from many customers into a single database. Multi-tenanted software provides economies of scale, enabling customers to share one version of software globally, gain immediate access to the latest enhancements as they become available, without having to compromise on data security. These controls are in addition to the rich, logical security model in the application itself, which is personalised for each customer during implementation, and updated by our customers as their business changes over time.
Encryption of data in transit
Users access TechnologyOne SaaS via the internet, protected by Transport Layer Security (TLS) 1.0 and above. This secures network traffic from passive eavesdropping, active tampering and the forgery of network messages.
TechnologyOne has implemented proactive security measures such as perimeter defence and network intrusion detection and prevention systems, together with anomaly detections algorithms that alert team members. We also utilise a number of confidential countermeasures designed to protect our customers, and protect our service in general.
Vulnerability assessments and penetration testing of the TechnologyOne SaaS solution are evaluated and conducted on a regular basis by both TechnologyOne team members and trusted external third-party vendors. These vulnerability assessments are in addition to the secure coding practices, static code analysis and security reviews undertaken with our enterprise software.
Backup and replication of data
In a Cloud first, Mobile first world, we have rethought the traditional approach to backups. TechnologyOne SaaS architecture is active/active by design, which means that all data is synchronously stored in multiple locations, across multiple data centres, automatically. This approach challenges most existing procedures that revolve around backups, tape archives and expensive customer-adopted processes.
A full backup is taken weekly and stored in multiple locations across four physically isolated data centres. Database backups and transaction logs are implemented so that a database may be recovered with the loss of as few committed transactions as is commercially practicable. To ensure that we can offer the lowest recovery point objective (RPO) in the industry, we perform snapshots every 15 minutes to minimise the potential for data loss in the event of failure. Backups of the database and transaction logs are encrypted for any database which contains customer data.
Single sign-on support
Security Assertion Markup Language (SAML) is supported by the TechnologyOne SaaS solution and enables an enterprise single sign-on (SSO) environment. SAML provides a seamless, single sign-on experience between the customer’s internet connection and TechnologyOne SaaS, which incorporates the existing identity framework already in use.
TechnologyOne software enforces role-based security for authorisation. Role-based security allows customers to grant or restrict user access to functionality, business processes, reports and data.
System-to-system integration is via public web service invocations or Reports as a Service (RaaS). All of these system invocations are controlled by TechnologyOne software-based authorisations and security.