Altus PPM

Altus PPM is the core Altus solution installed into your own Power Platform environment, where data is stored and processed.

Security

Altus PPM is deployed as a Power App into the Customer's Microsoft Power Platform Dataverse environment. All data storage, transmission, and processing occurs within the Customer's own M365 service boundary, governed by the security policies of the Customer's Microsoft Entra ID.

Although Altus Pty. Ltd. supplies regular software updates and static assets from external locations, all processing, storage, and transmission of customer data occurs within the geographic region selected by the Customer, with infrastructure provided by Microsoft. This deployment model enables Altus PPM to operate in organizations with conservative risk postures where traditional SaaS solutions would not be suitable.

Security Testing and Auditing

Penetration Testing is often a standard requirement on security questionnaires. However, for Altus PPM, the security perimeter for authentication and authorization is the Entra ID service itself, with access to customer data controlled by the Customer through Power Platform role-based access controls. Conducting penetration testing of Microsoft products beyond the existing comprehensive testing performed by Microsoft is unlikely to provide additional risk assurance.

Altus takes compliance assurance seriously, and the product has been architected with a focus on trust and security. ISO 27001 Certification and SOC Type 2 Auditing are essential mechanisms for organizations to demonstrate robust security and risk controls. While Microsoft already has the Altus platform certified, Altus itself is also progressing through an independent certification process—see the Altus Trust Portal for up-to-date information.

It's important to note that Altus doesn't operate any equipment that transmits, processes, or stores customer data. As a result, traditional certification and auditing activities of Altus may not significantly contribute to assessing the risk associated with the Altus product. However, we appreciate that some customers have regulatory requirements in this regard, which is why we are progressing through the certification process. We invite you to explore our Altus Trust Portal and platform certifications at the Microsoft Security & Trust Center, which ensure the security and trustworthiness of the environment in which the Altus product operates.

Infrastructure Security

Datacentres used by Altus PPM are the same as those used by the customer's M365 tenancy, managed and operated by Microsoft within the customer's selected geography. These datacentres comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53 and 800-88, for security and reliability. Operating within the M365 tenancy grants Altus PPM the same high availability characteristics as native M365 services.

Multi-tenancy separation is ensured by each customer running their own instance of Altus PPM within their tenancy and within a Power Platform environment boundary. Secure separation between multiple Altus PPM instances in a single tenancy is easily achievable using Power Platform Environment containers.

Software Development Lifecycle

Code reviews are utilized to ensure that multiple members of our development staff review all code that goes into the product. An audit history is attached to every line, indicating the author's identity and who reviewed it. Staff are briefed to ensure the OWASP Top 10 and CVEs are addressed prior to approval.

Testing is performed by our QA team to identify functional, performance, and security issues in new additions to the product and through automated regression testing of the entire product every day. The automated testing suite used to perform these tests is available on request for customers who need to run tests on their own customized version of the system to ensure customizations have not negatively affected standard functionality.

Static Code Analysis tools are used during development to assist in finding errors and security problems in the product. While tools such as ESLint are already in use in the Altus PPM development process, we are moving towards a unified set of rules for the entire product, which will provide increased levels of risk assurance.

Encryption

In transit: During the operation of Altus PPM, data is transferred between the client and server via the well-known HTTPS/TLS protocol. TLS 1.2 or higher is required, and the product will not function on client devices that do not support it.

At rest: Customer data is stored solely within the Microsoft Dataverse service within the customer's own M365 tenancy. No external data stores are necessary. The Microsoft Dataverse service is thoroughly tested and certified by Microsoft for security.

Privacy

Access to customer environments is needed by your deployment partner during the installation and configuration of Altus PPM but can be disabled prior to the transition to storing production and/or sensitive information in the system.

GDPR and the Australian Privacy Act may be relevant to Altus PPM if it is extended to store personal information for EU or Australian citizens. Please seek legal advice relevant to your country of jurisdiction before extending Altus PPM to store personal information.

The European GDPR regulations apply to organizations (not to products) that are involved in processing personal data. If the Customer uses their Altus PPM installation to process personal data of EU citizens, the GDPR may apply to the following groups:

• Data Controller: The Customer is provided with the Altus PPM software and chooses to execute it on their own Microsoft Power Platform tenancy. As the Data Controller, the Customer is in complete control of onboarding users and setting security roles to explicitly authorize users with access to data.
• Data Processor: Microsoft, in accordance with the configuration set by the Data Controller, processes and disseminates data to end-users via their data centers on behalf of the Data Controller (Customer).

Note

With specific regard to the Altus Power Platform application (Altus PPM), Altus Pty. Ltd. does not directly participate in the transmission, storage, or processing of customer data and does not occupy any participating GDPR role.

Data Breaches or other events requiring Incident Management are handled via a shared process model with Microsoft detailed in the Information Security Policy.

IRAP assessments are an additional compliance check administered by the Australian Signals Directorate for SECRET use or below. The platform in which Altus operates has already been comprehensively assessed, and IRAP attestations are available. While Altus doesn't operate any equipment that transmits, processes, or stores customer data, we can cooperate with IRAP assessors on request.