Frequently Asked Questions

Q: What protocols are used between all the system components and are they secure?

A: All data in-transit and at rest is protected by means consistent with a high industry security standard such as HTTPS/TLS 1.2 with 4096 bit keys.

Q: Do you adopt/implement a security standard?

A: We utilise a broad array of industry standards compliance from the parent Azure service. Microsoft and industry best practices are observed in our service implementation. more details. We are working towards achieving compliance with standards such as ISO 27001 in the near future.

Q: What authentication is required for accessing our services?

A: Customer data can only be accessed via secure and authenticated means using either the Reporting Hub App (O365 Authentication)education, or SQL Azure authentication credentials from white-listed public IP addresses. 

Q: How are credentials stored? (plain/hashed)

A: User account credentials are stored by SQL Azure and Azure AD, while service account credentials are encrypted and stored inside Azure Storage under strict access control. 

Q: What is the complexity of generated credentials?

A: Credentials generated by Reporting Hub are complex, approx. 128 bits/20 character

Q: What methods are used to protect stored data?

A: O365 Authentication via the SharePoint Online is required, and Report designers need SQL Azure credentials from white-listed firewall access locations.

Q: Is any data stored or sent overseas?

A: In addition to developing GDPR-compliant services, understands the importance of data sovreignty to our customers, from both a security and compliance perspective. We maintain three primary regions: APAC, US and EU. These regions operate independent of one another with regards to network activity, data and service operations.

Q: How often is data replicated/backed up such that data losses are minimized?

A: SQL Azure Data is backed up and Geo-redundant as enabled by default Microsoft SQL Azure service features, which provide a point-in-time restore of 7 days with weekly full backups every week for 30 days.

Q: Are customer data activities logged and auditable? Is there a process to review or monitor this?

A: SQL Audit logging and Threat Detection is enabled, which will alert key staff to security events such as suspected malicius behaviour (e.g. SQL Injection) and logins from unusual locations (e.g. impossible travel). We can produce the logs for your database via helpdesk request.

Q: Can customer data be exported from the system?

A: Yes.  Customers can log a helpdesk ticket to acquire a copy of their database in standard SQL backup format and their report uploaded report definitions in RDL format.

Q: Can you tell me more about your personnel management?

A: Our employees with full administrative access to the system have valid police checks and some have baseline defence clearance. Pursuant to local laws, regulations, ethics and contractual constraints, Microsoft US-based full-time employees (FTE) are required to successfully complete a standard background check as part of the hiring process.

Q: Do you use Multi-factor authentication (MFA) to further secure customer data via identity?

A: All staff with administrative access to the Reporting Hub have MFA enabled accounts.

Q: Can you tell me more about your network security posture for devices accessing Azure resources?

A: For machines used to manage the Azure system, we utilize Windows 10 Defender, InTune/MDM endpoint protection policies on desktop and mobile devices.

Q: Can you tell me more about your software development practices?

A: All of our employees involved in development activities must posess and observe a minimum level of security best practice knowledge in line with current advice from OWASP, such as a familiarity with the current OWASP top-ten security risks, and associated avoidance/mitigation strategies. A robust software development lifecycle is employed, utilising secure and redundant means of data/code transport, storage and execution wherever possible.

Q: Do you utilize any third-parties to support your products and solutions?

A: Microsoft Azure is our sole provider of cloud infrastructure and related services.