Data security

Data protection practices

We have adopted the following principles for the collection, use, retention, transfer, disclosure and destruction of personal information, with which workers must comply:
  • We will process personal information lawfully, fairly and in a transparent manner;
  • We will collect personal information for specified, explicit and legitimate purposes only;
  • We will only process the personal information that is adequate, relevant and necessary for the relevant purposes;
  • We will keep accurate personal information, and take reasonable steps to ensure that inaccurate personal information is deleted/corrected without delay;
  • We will keep personal information for no longer than is necessary for the purposes for which the information is processed; and
  • We will take appropriate technical and organisational measures to ensure that personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Storage and protection of data

In order to comply with our obligations with respect to maintaining the security and integrity of personal information and data we hold, our data is stored securely on an AWS cloud environment.

The general security features of our data security include:
  • Encryption for all data in transit as follows:
    • Client to API is HTTPS, terminated at AWS application load balancer;
    • API to Database traffic is internal to our VPC and encrypted; and
    • Client to our user authentication server (Auth0) encrypted in transit.
  • Encryption for data at rest with the following:
    • Database data;
    • Cloud trail logs; and
    • VPC flow logs.
  • Data is encrypted using the 256-bit Advanced Encryption Standard (AES)
  • Encryption keys managed through AWS key management services;
  • Encryption keys rotated based on AWS best practice;
  • VPC flow logs stored, encrypted and streamed to central logging platform Splunk;
  • Cloud trail logs stored encrypted in S3 and sent to central logging platform Splunk;
  • All WYWM application logs streamed to Splunk for debug / analysis;
  • Alerts sent for any changes to cloud asset configuration;
  • Single sign on enabled for all cloud admins with 2-factor authentication enabled;
  • JSON web token authorisation used in WYWM API servers for access control;
  • SSH access disabled to all compute instances;
  • Regular 3rd party penetration testing of our systems; and
  • Software is updated based upon operational requirements but at a minimum, on a fortnightly basis. This includes mitigating identified threats and vulnerabilities identified during periodic assessments and BAU operation.
  • Prior to approval of WYWM platform enhancements and programs a security assessment is undertaken to identify and assess relevant security implications. This assessment includes a risk mitigation and assessment process to ensure compliance and vulnerability is maintained and minimised.
  • Due diligence is also undertaken when assessing new IT service providers to ensure their introduction will not cause vulnerabilities or reduce our overall data security capability.
  • We also assess all IT service providers for their compliance with relevant legislation and regulations.