eP logo white

Purpose

This document outlines how security is maintained, at a network/hardware, software and data
level. These technical security measures are complemented by our privacy policy which forms part
of this document.


About ecoPortal

ecoPortal is a cloud based, enterprise risk and sustainability management platform developed by
Triplics Ltd. and used by organisations internationally. Our platform allows organisations to create
content and upload data through their web browsers which is then stored on servers.

A diagrammatic overview of ecoPortal is presented in Figure 1 below.

Privacy image 2

Figure 1. ecoPortal is a cloud based solution built on industry leading cloud technology.

 

Contact

For any questions relating to this document or our Security and Privacy, please contact us at issues@ecoportal.co.nz

Policy Terms

 

1. Network/Hardware Security

1.1. All connections to ecoPortal are encrypted and carried out over 256-bit SSL, preventing man-in-the-middle attacks and information being intercepted by third parties. ecoPortal uses a reputable, world-class vendor for SSL certificates (Digicert), and opts for an extended validation mode certificate for optimum visibility and security.

1.2. Our platform is built on Amazon Web Services (AWS), a virtualized computing cloud which has built-in safeguards to ensure that information can never leak within the same data centre; optimised for high uptime and redundancy. ecoPortal and all client data is stored on AWS infrastructure. As part of this service, Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Amazon's data centre operations have been accredited under:

1.2.1. ISO 27001,
1.2.2. SOC 1, SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II),
1.2.3. PCI Level 1,
1.2.4. FISMA Moderate,
1.2.5. Sarbanes-Oxley (SOX)

1.3. Our network security as provided by AWS includes: utilisation of firewalls, private networks; distributed denial of service (DDoS) protection; spoofing and sniffing blocking; port scan blocking. You can read more about AWS security here: https://aws.amazon.com/security/

1.4. Amazon implements physical security controls which include but are not limited to perimeter controls such as: fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means. Triplics Ltd. offices have similar controls in place such as controlled access points and alarm systems. Triplics Ltd. staff also receive regular training in our security policies and procedures.

1.5. ecoPortal has advanced intrusion detection through Trend Micro Deep Security. In the unlikely event of an unauthorised agent gaining access to our servers, their activity is logged, and relevant parties are alerted to take immediate remedial action.

1.6. ecoPortal is set up to be highly available and split across multiple data centers with a copy in each. In the event of one data center being taken out, the other data center(s) should continue to function as usual.

1.7. AWS server facilities include numerous environmental safeguards including: fire detection and suppression systems; use of uninterrupted power supply systems (UPS); climate and temperature control; and staff that monitor the servers for electrical and mechanical issues, including performing preventative maintenance.


 

2. Software Security

2.1. ecoPortal is built using the Ruby on Rails framework which contains built-in safeguards against most common web attack vectors, including XSS and SQL injection. We maintain and patch ecoPortal continually to ensure that it remains up to date and secure from announced Common Vulnerabilities and Exposures (CVEs).

2.2. ecoPortal leverages reputable SaaS (Software as a Service) and PaaS (Platform as a Service) solutions. This ensures that all components of the system are secured, managed and maintained by domain experts. All application, data and storage layer services employed by ecoPortal run in the same datacenter and as such take advantage of Amazon's robust virtualized platform and its associated security safeguards.

2.3. It is Triplics Ltd.’s responsibility to upgrade and ensure the correct working of the overall ecoPortal system.

2.4. ecoPortal uses an automated dependency vulnerability scanning system and continually updates software dependencies to ensure that every component we use is as secure and updated as it can be.

2.5. All files uploaded by customers to ecoPortal and S3 undergo scanning to ensure no malicious code, viruses, trojans or malware are stored. The scan uses ClamAV, an open-source antivirus software package. All scans are limited to files under 500 mb in size. ecoPortal keeps an up to date virus definition database which is updated every 6 hours. Infected files will not be available for download.

2.6. Triplics Ltd. understands that attempted intrusions and tests by security experts play a valuable role in ensuring that security holes are identified and quickly closed. To this end, ecoPortal will offer a mirror of the software for testing purposes on request which does not contain any sensitive data. It is against our policy to allow any intrusion attempts or security testing on live.ecoportal.com where customer data resides.

2.7. Triplics Ltd. reserve the right to change and remove functionality at any time. Triplics Ltd. will inform the customers of changes that are relevant to the customer through emails to administrators and changelogs on ecoPortal’s website. Where necessary, further training will be provided to support the changes.

 

3. Data Security

3.1. Triplics Ltd. management are committed to ensuring the privacy and protection of customer data. This starts at the highest level of the company with directors who understand that security is an essential order qualifier for a SaaS business. In line with this Triplics Ltd. has invested substantial resources in policy, risk management and audit plans in alignment with ISO 27001 standards and policies.

3.2. ecoPortal has a continuous backup system in place for our core database and are able to recover data in the event of a disaster to the minute within a day. Backup snapshots are encrypted and we retain a minimum of 7 daily backups, 4 weekly backups and 3 monthly backups.

3.3. It is the customer’s responsibility to upload and maintain their data, invite and remove people from their system, set and remove permissions on their system, keep passwords safe and secure, and log out of sessions. Triplics Ltd. employees can aid in some of these processes if asked by the customer and also offer training in these activities. Triplics Ltd. also offers a pre agreed amount of support per month for each customer organisation. Beyond this Triplics Ltd. will not access or interfere with any customer data or instance.

3.4. ecoPortal includes a permission system that gives customer administrators the ability to add or remove users from their organisation, and consequently add or remove their access to the data. Further permissions can be set by customer administrators to limit the access and editing of content on individual pages in the case of internally sensitive content.

3.5. It is the customer’s sole responsibility to ensure that their users, and their content has the correct level of user permissions.

3.6. Content in ecoPortal can be made publicly accessible through the use of the ‘public reports’ option offered through the reporting functionality in ecoPortal. This is entirely optional and only users with correct permissions can make content public using this feature.

3.7. ecoPortal does not store passwords and cannot recover them. Passwords are irreversibly hashed with a unique salt per-password using the bcrypt algorithm with a high number of stretches to mitigate brute force attacks.

3.8. ecoPortal has built in brute force protection and rate limiting to prevent unauthorised access and abuse.

3.9. ecoPortal has automatic logout functionality which can be configured on a per organisation basis according to their internal security requirements. All logged in
sessions of the ecoPortal software should be attended at all times. Session security is solely the responsibility of the customer.

3.10. Uploaded files on ecoPortal are stored using Amazon's S3 (Simple Storage Service) and are encrypted at rest. All communications with S3 are encrypted over SSL. To illustrate this, if you were to upload a file to ecoPortal and then subsequently download it, the workflow would be as follows:

3.10.1. ecoPortal automatically provides you with an authentication code when you log in. This tells S3 to allow direct uploads to a specific location unique to your user.

3.10.2. Your browser encrypts and transmits the desired file to the S3 service, where it is decrypted upon receipt and immediately re-encrypted with a different key, then stored. The keys to this encryption are stored upon separate, Amazon owned and operated servers. This prevents physical theft of your files.

3.10.3. ecoPortal then indexes and moves the file into a secure area.

3.10.4. Your browser then requests to download the file via an action on ecoPortal itself which ensures that you have the correct level of permissions to access that file. If these checks pass, ecoPortal generates a one-time-only expiring URL for you to download the file and redirects you to this URL.

3.10.5. Your browser negotiates an encrypted connection with S3. S3 pulls the file, decrypting it on the fly from the at-rest encryption. The file is immediately re-encrypted and transmitted to your browser. Streaming file transfer ensures that the entire file is never fully decrypted at any given time until it is safely downloaded to your computer.


4. Incident Management 

4.1. If a client becomes aware of an incident, it is their responsibility to notify Triplics Ltd. Communication of security incidents, vulnerabilities or suspected security incidents should be made to Triplics Ltd at issues@ecoportal.co.nz

4.2. It is the client’s responsibility to act on and remediate all known security incidents within their organization which could compromise their security on the ecoPortal platform.

4.3. It is Triplics Ltd’s responsibility to act and remediate on all known security incidents with the ecoPortal Service.

4.4. Triplics Ltd. is responsible for categorisation and remediation of incidents. The nature and priority of an incident will internally decided and handled appropriately. For example, any form of data breach would be given high priority. The handling of incidents is as follows:

4.4.1. High priority incidents are triaged and sent to the appropriate team and resolved within 24 hours when possible,

4.4.2. Medium priority incidents are remedied within 3 days,

4.4.3. Low priority incidents are resolved within 14 days.

4.5. If Triplics Ltd. becomes aware of any unlawful access to any customer data stored on ecoPortal’s equipment or in ecoPortal’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of customer data (each a “security incident”), ecoPortal will promptly:

4.5.1. Notify the customer of the security Incident within 24 hours,

4.5.2. Investigate the security incident and provide affected Customers with detailed information about the security incident and what is being done to address them,

4.5.3. Take reasonable steps to mitigate the effects and to minimize any damage resulting from the security incident.

4.6. After the event of a security incident, Triplics Ltd. agrees upon request, to provide time stamped audit logs and forensic snapshots to help the customer perform their own internal investigation.

4.7. Triplics Ltd. will provide information to enable the customer to cooperate with requests from investigation by a regulatory body.

4.8. It is Triplics Ltd. responsibility to, when possible, provide restoration of data and services after an incident.

4.9. Triplics Ltd. maintains a specialist information technology indemnity insurance policy (iTech Information Technology Policy) that has been designed specifically for information and communication technology (ICT) service providers by Delta Insurance Ltd. The limit of this insurance is $2,000,000.

 

5. Privacy Policy

5.1. Customers own their data. Unless the customer explicitly marks their data as public, no ecoPortal users other than those specifically invited by the customer can access a customer’s data. Triplics Ltd. staff will not review, share or distribute any customer data except in cases explicitly outlined in the ‘Software License Agreement’, or as may be required by law. Software License Agreements (while customised) outline that customer data will be used only for the purposes of providing services, or preventing or addressing service or technical problems.

5.2. Triplics Ltd. can view usage statistics for the purpose of improving the usability and system design. All usage information is securely stored and only accessible by authorised Triplics Ltd. staff members.

5.3. Triplics Ltd. staff do not have access to customer passwords and will never ask for them. Customers are solely responsible for the security of their passwords, and should never share them for any reason.

5.4. Customers can opt out of all automated email communications from ecoPortal through changing their ecoPortal digest settings.

5.5. Triplics Ltd. has the right to change these policies and security settings at any time, which will come into effect when the changes are communicated to all clients by email, or posted online on the ecoPortal website.

5.6. It is the customer’s responsibility to maintain awareness and compliance with ecoPortal published security policies, and applicable regulatory requirements.

5.7. Triplics Ltd. will not disclose customer data outside of Triplics Ltd. or its contracted third party service providers except where directed by the customer, or required by law.

5.8. Triplics Ltd. will not disclose customer data to law enforcement agencies unless required by law. Should a law enforcement agency contact Triplics Ltd. with a demand for customer data, Triplics Ltd. will attempt to redirect the agency to request that data directly from the customer. If compelled to disclose customer data then Triplics Ltd. will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so.

5.9. Upon receipt of any other third party request for customer data (including the customer's own end users), Triplics Ltd. will promptly notify customer unless prohibited by law. If Triplics Ltd. is not required by law to disclose the customer data, Triplics Ltd. will reject the request. If the request is valid and Triplics Ltd. could be compelled to disclose the requested information, Triplics Ltd. will attempt to redirect the third party to request the customer data from the customer.

5.10. If a request for customer data is made directly with our third party hosting provider AWS, then the request will be processed based on AWS's policy which states:

"AWS err on the side of protecting customer privacy and is vigilant in determining which law enforcement requests we must comply with. AWS does not hesitate to challenge orders from law enforcement if we think the orders lack a solid basis."

 

Visitor Management Privacy Policy

 

We understand that protecting your personal information is important. This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or otherwise collected by us when providing our platform and software (together, Services) to you. In this Privacy Policy we, us or our means Triplics Limited NZBN 9429031345217. 

Personal information

Personal information is information or an opinion, whether true or not and whether recorded in a material form or not, about an individual who is identified or reasonably identifiable.

The personal information we collect

The types of personal information we may collect about you is set out below.

When you use our visitor management software, as a visitor or contractor attending our clients’ sites:

  • your first and last name;
  • your email address;
  • if applicable, the name of your company;
  • the name of the person from our client’s site who you are visiting; 
  • your check-in and check-out times at the client’s site; and
  • any other information that our client seeks to request from you when you use our visitor management software.

As an employee or representative of a business using the ecoPortal platform:

  • your first and last name;
  • your contact details, including email address, mailing address, street address and/or telephone number; and
  • your role at your business.

When you otherwise use the Services:

  • your preferences and/or opinions;
  • information you provide to us through customer surveys;
  • details of products and services we have provided to you and/or that you have enquired about, and our response to you; and
  • any other personal information requested by us and/or provided by you or a third party.

When you otherwise use our website or software:

  • your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour;
  • information about your access and use of our Services, including through the use of Internet cookies, your communications with our online Services, the type of browser you are using, the type of operating system you are using and the domain name of your Internet service provider;
  • additional personal information that you provide to us, directly or indirectly, through your use of our Services, associated applications, and/or accounts from which you permit us to collect information.

 

How we collect personal information

We collect personal information in a variety of ways, including:

  • Directly: We collect personal information which you directly provide to us, including when you check-in to a site, when you register for an account, through the ‘contact us’ form on our website or when you request our assistance via email, or over the telephone.
  • Indirectly: We may collect personal information which you indirectly provide to us while interacting with us, such as when you use our website, in emails, over the telephone and in your online enquiries.
  • From third parties: We collect personal information from third parties, such as details of your use of our website from our analytics and cookie providers and marketing providers. See the “Cookies” section below for more detail on the use of cookies.

 

Collection and use of personal information

We may collect, hold, use and disclose personal information for the following purposes:

  • to allow you to check-in to our clients’ sites;
  • to provide you with a login;
  • to provide our customers with tools to perform analytics and create dashboards and charts displaying information about their end users and site visitors;
  • to allow our customers to contact site visitors during or after their site visit, including in case of emergency;
  • to allow our customers to customise their portals and request additional information from you; 
  • where you visit a site and have an existing ecoPortal account, to link details you provide when visiting a site to your ecoPortal account;
  • to otherwise provide our Services to you;
  • to enable you to access and use our associated applications;
  • to contact and communicate with you about our Services;
  • for internal record keeping, administrative, invoicing and billing purposes;
  • for analytics, market research and business development, including to operate and improve our Services and associated applications;
  • for advertising and marketing, including to send you promotional information about our products and services and information that we consider may be of interest to you, noting we will comply with all laws that are relevant to marketing (including the Unsolicited Electronic Messages Act 2007 and Fair Trading Act 1986);
  • to comply with our legal obligations and resolve any disputes that we may have; 
  • if you have applied for employment with us; to consider your employment application; and
  • if otherwise required or authorised by law.

 

Disclosure of personal information to third parties

We may disclose personal information to:

  • third party service providers for the purpose of enabling them to provide their services, to us, including (without limitation) IT service providers, data storage, web-hosting and server providers, debt collectors, couriers, maintenance or problem-solving providers, marketing or advertising providers, professional advisors and payment systems operators;
  • our employees, contractors and/or related entities;
  • our existing or potential agents or business partners;
  • anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;
  • courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you;
  • courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights; 
  • third parties to collect and process data, such as Google Analytics (To find out how Google uses data when you use third party websites or applications, please see www.google.com/policies/privacy/partners/ or any other URL Google may use from time to time), Facebook Pixel or other relevant analytics businesses; and
  • any other third parties as required or permitted by law, such as where we receive a subpoena.

Overseas disclosure: Where we disclose your personal information to third parties listed above, these third parties may store, transfer or access personal information outside of New Zealand, for example, Australia. Such overseas countries may not have an equivalent level of data protection laws as those in New Zealand. Before disclosing any personal information to an overseas recipient, we will comply with Information Privacy Principle 12 and only disclose the information if: 

  • you have authorised the disclosure after we expressly informed you that the overseas recipient may not be required to protect the personal information in a way that, overall, provides comparable safeguards to those in the Privacy Act; 
  • we believe the overseas recipient is subject to the Privacy Act; 
  • we believe that the overseas recipient is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act; 
  • we believe that the overseas recipient is a participant in a prescribed binding scheme; 
  • we believe that the overseas recipient is subject to privacy laws in a prescribed country; or 
  • we otherwise believe that the overseas recipient is required to protect your personal information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example pursuant to a data transfer agreement entered into between us and the overseas recipient).

 

Your rights and controlling your personal information

Your choice: Please read this Privacy Policy carefully. If you provide personal information to us, you understand we will collect, hold, use and disclose your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect our ability to provide our Services to you and your use of our Services.

Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us. 

Anonymity: Where practicable we will give you the option of not identifying yourself or using a pseudonym in your dealings with us. For instance, it is possible for you to not identify yourself when making a general enquiry about our Services, but to allow you to check-in to a site, or to set up an account for you, it will not be practicable to allow you to not identify yourself. 

Restrict and unsubscribe: To object to processing for direct marketing/unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication.

Access: You may request access to the personal information that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal information.

Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, out of date, incomplete, irrelevant or misleading. Please note, in some situations, we may be legally permitted to not correct your personal information.

Complaints: If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. You also have the right to contact the Office of the New Zealand Privacy Commissioner.

 

Storage and security

We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures, to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

While we are committed to security, we cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk. 

 

Cookies

We may use cookies on our online Services from time to time. Cookies are text files placed in your computer's browser to store your preferences. Cookies, by themselves, do not tell us your email address or other personally identifiable information. If and when you choose to provide our online Services with personal information, this information may be linked to the data stored in the cookie.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our online Services.

 

Links to other websites

Our Services may contain links to other websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.

 

Amendments

We may, at any time and at our discretion, vary this Privacy Policy by publishing the amended Privacy Policy on our website. We recommend you check our website regularly to ensure you are aware of our current Privacy Policy.

 

For any questions or notices, please contact our Privacy Officer at:

Triplics Limited NZBN 9429031345217

Address: 221 Symonds Street, Auckland, Auckland 1010, New Zealand

Phone : +64 9 630 6951

Email : manuel@ecoportal.com

Last update: 13 August 2021