Footer - ecoPortal logo

Purpose

This document outlines how security is maintained, at a network/hardware, software and data
level. These technical security measures are complemented by our privacy policy which forms part
of this document.


About ecoPortal

ecoPortal is a cloud based, enterprise risk and sustainability management platform developed by
Triplics Ltd. and used by organisations internationally. Our platform allows organisations to create
content and upload data through their web browsers which is then stored on servers.

A diagrammatic overview of ecoPortal is presented in Figure 1 below.

Privacy image 2

Figure 1. ecoPortal is a cloud based solution built on industry leading cloud technology.

 

Contact

For any questions relating to this document or our Security and Privacy, please contact us at issues@ecoportal.co.nz

Policy Terms

 

1. Network/Hardware Security

1.1. All connections to ecoPortal are encrypted and carried out over 256-bit SSL, preventing man-in-the-middle attacks and information being intercepted by third parties. ecoPortal uses a reputable, world-class vendor for SSL certificates (Digicert), and opts for an extended validation mode certificate for optimum visibility and security.

1.2. Our platform is built on Amazon Web Services (AWS), a virtualized computing cloud which has built-in safeguards to ensure that information can never leak within the same data centre; optimised for high uptime and redundancy. ecoPortal and all client data is stored on AWS infrastructure. As part of this service, Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Amazon's data centre operations have been accredited under:

1.2.1. ISO 27001,
1.2.2. SOC 1, SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II),
1.2.3. PCI Level 1,
1.2.4. FISMA Moderate,
1.2.5. Sarbanes-Oxley (SOX)

1.3. Our network security as provided by AWS includes: utilisation of firewalls, private networks; distributed denial of service (DDoS) protection; spoofing and sniffing blocking; port scan blocking. You can read more about AWS security here: https://aws.amazon.com/security/

1.4. Amazon implements physical security controls which include but are not limited to perimeter controls such as: fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means. Triplics Ltd. offices have similar controls in place such as controlled access points and alarm systems. Triplics Ltd. staff also receive regular training in our security policies and procedures.

1.5. ecoPortal has advanced intrusion detection through Trend Micro Deep Security. In the unlikely event of an unauthorised agent gaining access to our servers, their activity is logged, and relevant parties are alerted to take immediate remedial action.

1.6. ecoPortal is set up to be highly available and split across multiple data centers with a copy in each. In the event of one data center being taken out, the other data center(s) should continue to function as usual.

1.7. AWS server facilities include numerous environmental safeguards including: fire detection and suppression systems; use of uninterrupted power supply systems (UPS); climate and temperature control; and staff that monitor the servers for electrical and mechanical issues, including performing preventative maintenance.


 

2. Software Security

2.1. ecoPortal is built using the Ruby on Rails framework which contains built-in safeguards against most common web attack vectors, including XSS and SQL injection. We maintain and patch ecoPortal continually to ensure that it remains up to date and secure from announced Common Vulnerabilities and Exposures (CVEs).

2.2. ecoPortal leverages reputable SaaS (Software as a Service) and PaaS (Platform as a Service) solutions. This ensures that all components of the system are secured, managed and maintained by domain experts. All application, data and storage layer services employed by ecoPortal run in the same datacenter and as such take advantage of Amazon's robust virtualized platform and its associated security safeguards.

2.3. It is Triplics Ltd.’s responsibility to upgrade and ensure the correct working of the overall ecoPortal system.

2.4. ecoPortal uses an automated dependency vulnerability scanning system and continually updates software dependencies to ensure that every component we use is as secure and updated as it can be.

2.5. All files uploaded by customers to ecoPortal and S3 undergo scanning to ensure no malicious code, viruses, trojans or malware are stored. The scan uses ClamAV, an open-source antivirus software package. All scans are limited to files under 500 mb in size. ecoPortal keeps an up to date virus definition database which is updated every 6 hours. Infected files will not be available for download.

2.6. Triplics Ltd. understands that attempted intrusions and tests by security experts play a valuable role in ensuring that security holes are identified and quickly closed. To this end, ecoPortal will offer a mirror of the software for testing purposes on request which does not contain any sensitive data. It is against our policy to allow any intrusion attempts or security testing on live.ecoportal.com where customer data resides.

2.7. Triplics Ltd. reserve the right to change and remove functionality at any time. Triplics Ltd. will inform the customers of changes that are relevant to the customer through emails to administrators and changelogs on ecoPortal’s website. Where necessary, further training will be provided to support the changes.

 

3. Data Security

3.1. Triplics Ltd. management are committed to ensuring the privacy and protection of customer data. This starts at the highest level of the company with directors who understand that security is an essential order qualifier for a SaaS business. In line with this Triplics Ltd. has invested substantial resources in policy, risk management and audit plans in alignment with ISO 27001 standards and policies.

3.2. ecoPortal has a continuous backup system in place for our core database and are able to recover data in the event of a disaster to the minute within a day. Backup snapshots are encrypted and we retain a minimum of 7 daily backups, 4 weekly backups and 3 monthly backups.

3.3. It is the customer’s responsibility to upload and maintain their data, invite and remove people from their system, set and remove permissions on their system, keep passwords safe and secure, and log out of sessions. Triplics Ltd. employees can aid in some of these processes if asked by the customer and also offer training in these activities. Triplics Ltd. also offers a pre agreed amount of support per month for each customer organisation. Beyond this Triplics Ltd. will not access or interfere with any customer data or instance.

3.4. ecoPortal includes a permission system that gives customer administrators the ability to add or remove users from their organisation, and consequently add or remove their access to the data. Further permissions can be set by customer administrators to limit the access and editing of content on individual pages in the case of internally sensitive content.

3.5. It is the customer’s sole responsibility to ensure that their users, and their content has the correct level of user permissions.

3.6. Content in ecoPortal can be made publicly accessible through the use of the ‘public reports’ option offered through the reporting functionality in ecoPortal. This is entirely optional and only users with correct permissions can make content public using this feature.

3.7. ecoPortal does not store passwords and cannot recover them. Passwords are irreversibly hashed with a unique salt per-password using the bcrypt algorithm with a high number of stretches to mitigate brute force attacks.

3.8. ecoPortal has built in brute force protection and rate limiting to prevent unauthorised access and abuse.

3.9. ecoPortal has automatic logout functionality which can be configured on a per organisation basis according to their internal security requirements. All logged in
sessions of the ecoPortal software should be attended at all times. Session security is solely the responsibility of the customer.

3.10. Uploaded files on ecoPortal are stored using Amazon's S3 (Simple Storage Service) and are encrypted at rest. All communications with S3 are encrypted over SSL. To illustrate this, if you were to upload a file to ecoPortal and then subsequently download it, the workflow would be as follows:

3.10.1. ecoPortal automatically provides you with an authentication code when you log in. This tells S3 to allow direct uploads to a specific location unique to your user.

3.10.2. Your browser encrypts and transmits the desired file to the S3 service, where it is decrypted upon receipt and immediately re-encrypted with a different key, then stored. The keys to this encryption are stored upon separate, Amazon owned and operated servers. This prevents physical theft of your files.

3.10.3. ecoPortal then indexes and moves the file into a secure area.

3.10.4. Your browser then requests to download the file via an action on ecoPortal itself which ensures that you have the correct level of permissions to access that file. If these checks pass, ecoPortal generates a one-time-only expiring URL for you to download the file and redirects you to this URL.

3.10.5. Your browser negotiates an encrypted connection with S3. S3 pulls the file, decrypting it on the fly from the at-rest encryption. The file is immediately re-encrypted and transmitted to your browser. Streaming file transfer ensures that the entire file is never fully decrypted at any given time until it is safely downloaded to your computer.


4. Incident Management 

4.1. If a client becomes aware of an incident, it is their responsibility to notify Triplics Ltd. Communication of security incidents, vulnerabilities or suspected security incidents should be made to Triplics Ltd at issues@ecoportal.co.nz

4.2. It is the client’s responsibility to act on and remediate all known security incidents within their organization which could compromise their security on the ecoPortal platform.

4.3. It is Triplics Ltd’s responsibility to act and remediate on all known security incidents with the ecoPortal Service.

4.4. Triplics Ltd. is responsible for categorisation and remediation of incidents. The nature and priority of an incident will internally decided and handled appropriately. For example, any form of data breach would be given high priority. The handling of incidents is as follows:

4.4.1. High priority incidents are triaged and sent to the appropriate team and resolved within 24 hours when possible,

4.4.2. Medium priority incidents are remedied within 3 days,

4.4.3. Low priority incidents are resolved within 14 days.

4.5. If Triplics Ltd. becomes aware of any unlawful access to any customer data stored on ecoPortal’s equipment or in ecoPortal’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of customer data (each a “security incident”), ecoPortal will promptly:

4.5.1. Notify the customer of the security Incident within 24 hours,

4.5.2. Investigate the security incident and provide affected Customers with detailed information about the security incident and what is being done to address them,

4.5.3. Take reasonable steps to mitigate the effects and to minimize any damage resulting from the security incident.

4.6. After the event of a security incident, Triplics Ltd. agrees upon request, to provide time stamped audit logs and forensic snapshots to help the customer perform their own internal investigation.

4.7. Triplics Ltd. will provide information to enable the customer to cooperate with requests from investigation by a regulatory body.

4.8. It is Triplics Ltd. responsibility to, when possible, provide restoration of data and services after an incident.

4.9. Triplics Ltd. maintains a specialist information technology indemnity insurance policy (iTech Information Technology Policy) that has been designed specifically for information and communication technology (ICT) service providers by Delta Insurance Ltd. The limit of this insurance is $2,000,000.

 

5. Privacy Policy

5.1. Customers own their data. Unless the customer explicitly marks their data as public, no ecoPortal users other than those specifically invited by the customer can access a customer’s data. Triplics Ltd. staff will not review, share or distribute any customer data except in cases explicitly outlined in the ‘Software License Agreement’, or as may be required by law. Software License Agreements (while customised) outline that customer data will be used only for the purposes of providing services, or preventing or addressing service or technical problems.

5.2. Triplics Ltd. can view usage statistics for the purpose of improving the usability and system design. All usage information is securely stored and only accessible by authorised Triplics Ltd. staff members.

5.3. Triplics Ltd. staff do not have access to customer passwords and will never ask for them. Customers are solely responsible for the security of their passwords, and should never share them for any reason.

5.4. Customers can opt out of all automated email communications from ecoPortal through changing their ecoPortal digest settings.

5.5. Triplics Ltd. has the right to change these policies and security settings at any time, which will come into effect when the changes are communicated to all clients by email, or posted online on the ecoPortal website.

5.6. It is the customer’s responsibility to maintain awareness and compliance with ecoPortal published security policies, and applicable regulatory requirements.

5.7. Triplics Ltd. will not disclose customer data outside of Triplics Ltd. or its contracted third party service providers except where directed by the customer, or required by law.

5.8. Triplics Ltd. will not disclose customer data to law enforcement agencies unless required by law. Should a law enforcement agency contact Triplics Ltd. with a demand for customer data, Triplics Ltd. will attempt to redirect the agency to request that data directly from the customer. If compelled to disclose customer data then Triplics Ltd. will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so.

5.9. Upon receipt of any other third party request for customer data (including the customer's own end users), Triplics Ltd. will promptly notify customer unless prohibited by law. If Triplics Ltd. is not required by law to disclose the customer data, Triplics Ltd. will reject the request. If the request is valid and Triplics Ltd. could be compelled to disclose the requested information, Triplics Ltd. will attempt to redirect the third party to request the customer data from the customer.

5.10. If a request for customer data is made directly with our third party hosting provider AWS, then the request will be processed based on AWS's policy which states:

"AWS err on the side of protecting customer privacy and is vigilant in determining which law enforcement requests we must comply with. AWS does not hesitate to challenge orders from law enforcement if we think the orders lack a solid basis."