Datapel Systems Security Policy
At Datapel, we adhere to top-tier data security and privacy protocols throughout all our operations. Our priority is safeguarding both your data and that of your users, allowing you to concentrate on optimising your supply chain workflows.
Security measures
This page outlines the technical and systematic security practices that Datapel employs. These measures may be updated or adjusted periodically as we enhance or expand our services.
Data Centre Security
Data Centres
Datapel’s service data is stored in highly secure data centres located in Australia, primarily utilising Amazon Web Services (AWS) for computing and storage.
Data Centre Compliance
All data centres comply with recognised industry standards and certifications. For more details on AWS compliance, you can refer to their official compliance page.
Physical Security of Data Centres
To ensure physical security, data centres enforce strict access controls, limiting access to authorised personnel only. They employ 24/7 monitoring of activities and incidents, use CCTV surveillance of all entry points to server rooms, and deploy electronic intrusion detection systems.
Disaster Recovery
Data centres manage climate and temperature to prevent overheating. They are equipped with automatic fire detection and suppression systems, as well as water leak detection systems. In addition, electrical and mechanical equipment are monitored. All data centres are redundant and maintainable 24/7. When user data is copied electronically by Datapel outside the data centre, appropriate physical security is maintained, and the data is encrypted at all times.
Uptime of Service
The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Failover protection
Back-up and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Datapel data is backed up to multiple durable data stores and is replicated across multiple availability zones. Datapel uses commercially reasonable efforts to create frequent, encrypted backup copies of the user data, and these are stored in geographically separate locations.
Redundancy
All databases are backed up and maintained using industry-standard methods at a minimum.
HR Security
Confidentiality Agreement
Our employees and contractors are required to sign a non-disclosure agreement before starting work.
Security Awareness
We provide security awareness training for all new employees, and all employees do this annually.
Developer Training
We provide training for our product developers in accordance with best practices for secure programming.
Operational Security
Data in Transit
Datapel uses TLS 1.2 or higher encryption (also referred to as HTTPS communication protocol) everywhere on the website and application. Datapel HTTPS implementation uses industry-standard algorithms and certificates.
Access to Personal Data
Personal data is protected by an appropriate level of security designed to prevent unauthorised data access. Personal data is limited to role-based access by personnel on a need-to-know basis. Personal data is encrypted in transit. All employees use a VPN to access company resources. To organise access to some resources, we use proven tools such as AWS IAM to better control access and ensure the best information security.
Logging and Monitoring
All infrastructure and application activities are logged, and the most critical are forwarded to AWS CloudWatch for monitoring. Access to audit trails and logs is restricted to authorised personnel based on roles and responsibilities.
Patch management
Datapel has established a process of monitoring for security vulnerabilities, acquiring, testing, and regularly implementing patches (software updates) or configuration changes into the related applications/systems across company infrastructure.
Data at Rest
The stored information is protected by encryption. Data centres use AES-256 encryption for secure data storage. We use strong encryption methods to store information on our endpoints securely.
Access Control
Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the Datapel service infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignments, and traditional firewall rules. All applications that process critical data use SSO and 2FA to authenticate users.
Password Policy
Datapel has implemented a uniform password policy for its internal services and correspondent tools and features. All passwords must fulfil defined minimum requirements and are stored in encrypted form. Users who interact with the services must use a password manager to store their passwords securely.
Change Management
Datapel has established a change management approach, which reduces the likelihood of unauthorised or destructive changes in applications/systems. All changes are peer-reviewed, tested and logged for audit purposes before deployment into the production environment.
Privacy Protection
Interaction with Contractors
To protect any data processed, Datapel maintains contractual relationships with its third-party suppliers. Datapel relies on contractual agreements, privacy policies, and supplier compliance procedures to protect any data processed or stored by suppliers.
Privacy Laws
While we process personal data, we use reasonable and appropriate technical and organisational measures to adhere to applicable privacy law, as described in this document. We have enacted the following internal and external policies: General Data Protection Policy, Privacy Policy, data breach procedures, and other documents as may be required by applicable legislation.
Personal Data Retention
A user’s personal data is deleted once no longer necessary for the stated purposes. However, we may retain copies of such data and information to the extent permitted or required by law, for archival purposes, or as created by automatic computer back-up and archived as part of normal computerized archiving systems, maintaining necessary technical and organisational measures.
Application Security
Secure Development Practices and Release Management
Datapel employs a Secure Software Development Lifecycle (SSDLC) to integrate security into the software development process. This involves design reviews, code analysis, and penetration testing as part of our development practices. We follow DevOps methodologies to deliver updates rapidly and efficiently.
Threat Protection and Penetration Testing
Our quality assurance team conducts ongoing security testing to protect against external threats. We perform regular code reviews and annual penetration tests to identify potential vulnerabilities.
Authentication and Two-Factor Security
Our product supports two-factor authentication (2FA), which users can enable to enhance account security.
Incident Management
System Logging
Datapel has designed its infrastructure to log information about system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Datapel personnel, including security, are responsive to handle security incidents.
Incident Notification
If Datapel becomes aware of unlawful access to data stored within its services, we notify the affected users of the incident, describe the steps that are being taken to resolve the incident and provide status updates to the user, as necessary.
Incident Response
Datapel maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and support personnel. Appropriate resolution steps are identified and documented. For any confirmed incidents, Datapel takes appropriate steps to minimise user damage and unauthorised disclosure and to prevent future incidents.
Security Management and Compliance
Security Policies and Procedures
We have developed policies that are communicated to all staff. We also have specific policies that are communicated to the personnel they affect. Policies cover the main areas of information security.
Risk Management
Datapel has defined and implemented a risk management program that sets out the strategy to identify, analyse, evaluate, treat and review information security risks.
Risk assessments are performed by certain teams at least annually or at any point when a major change takes place in the technological, organisational, business, or legal landscape.
The likelihood and impact of risk events are used for measuring the risk level and its significance as per the risk criterion described in the Risk Assessment Methodology.
Incident Response
Datapel maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and support personnel. Appropriate resolution steps are identified and documented. For any confirmed incidents, Datapel takes appropriate steps to minimise user damage and unauthorised disclosure and to prevent future incidents.