Security compliance & data management

CERTIFICATION AND COMPLIANCE

Touchpoint Group is ISO 27001:2013 certified. The certificate is available for download here.

Privacy and data protection policies

Touchpoint Group always treats customer data as confidential. Touchpoint Group does not access, use or share the information collected from a customer except as set forth in the Terms to carry out its obligations under this agreement, and as per our Privacy Policies.

For information on our legal and privacy terms, please visit:

• Privacy/Data Protection Policies
• Terms and conditions for our products

Third party and security assessments

Touchpoint Group's compliance with security standards and ISO 27001 is reviewed annually by an independent accredited third party. In addition, Touchpoint Group’s security maturity has been reviewed on a number of occasions by third parties including external auditors such as PWC.

For customers based in the EU, or who source data from the EU, we offer a Data Processing Agreement. This defines the terms and conditions (including the incorporation of the European Commission’s Model Contractual Clauses) regarding the processing of personal data that is transferred from an EU to a non-EU jurisdiction, in accordance with the requirements of the GDPR.

Customer initiated security assessments and audits are possible, but will be agreed on a case by case basis and require an independent auditor, in order to protect the confidentiality of customers who are not party to the audit. As these custom audits require effort and carry cost for the customer, Touchpoint Group offers to make a summary of the most recent third-party audits or certifications available instead.

INFORMATION SECURITY MANAGEMENT SYSTEM

Touchpoint Group has implemented an Information Security Management System (ISMS) that is compliant with ISO 27001, the international standard for information security. This ISMS also aligns with ISO 27017 (Code of Practice for Information Security Controls Based on ISO 27001 for Cloud Services) and ISO 27018 (Protection of Personally Identifiable Information).

The Touchpoint Group Information Security Management System and related controls cover these domains:

This ISMS is reviewed independently on a regular basis to provide for continued effectiveness and accuracy.

If you require additional information to the above security domains, please see below or contact us.

RISK AND VULNERABILITY MANAGEMENT

Risk management

Touchpoint Group has defined its methodology for assessment and treatment of information risks based on the ISO/IEC 27001 standard. Risk assessment and risk treatment are applied to the entire scope of the Information Security Management System (ISMS), i.e. to all information assets within Touchpoint Group or which could have an impact on information security, including customer information.

Technical compliance and testing

Touchpoint Group approves and engages with third-party security firms to perform penetration testing that can uncover potential vulnerabilities and improve the overall security of our products and services. Upon receipt of the report provided by the third party, Touchpoint Group documents these vulnerabilities, evaluates the impact and likelihood(risk), and creates a mitigation strategy or remediation plan. Penetration tests are conducted in regular intervals or after every major release.

Other technical compliance activities include:

• Scheduled vulnerability reviews.
• Code reviews.
• External penetration testing as commissioned by customers.
• Scheduled external vulnerability scans.
• Internal testing.
• Internal code vulnerability scans.
• Review of application error logs.

Vulnerability management

New vulnerabilities and threats evolve each day, and Touchpoint Group strives to respond quickly to mitigate newly discovered threats. In addition to subscribing to industry-wide vulnerability announcement lists, Touchpoint Group subscribes to the latest security alert lists issued by major security vendors.

Vulnerability and web scans are performed quarterly.

When a significant announced or detected vulnerability puts one of Touchpoint Group's products at risk, the Touchpoint Group CISO and Security Team communicate the vulnerability to the appropriate teams within Touchpoint Group and coordinate the mitigation effort. Vulnerabilities are assessed for risk, and appropriate measures taken to address the associated risk.

Virus protection

Touchpoint Group scans all inbound and outbound email for known malware threats.

Anti-malware protection mechanisms are implemented for all systems and employee assets (e.g. laptops) commonly affected by malware. Anti-malware protection involves the following:

• Malware, spyware and ransomware protection
• Device firewall protection
• Automated file submission and cloud detection of the latest threats
• Antivirus signatures are updated daily
• AV engine updated with the latest Antivirus features
• Fully automated system scans
• Event logs are generated
• Realtime Threat Protection enabled
• Browser and system level protection

Incident management

Touchpoint Group maintains a detailed incident management process which includes the standard phases:

1. Report: Initial identification and reporting of events, weaknesses and incidents.
2. Assess: Assessment of and decision on events.
3. Respond: Response to incidents.
4. Review and learn: Learning from incidents.
5. Resolve: Close incident and ticket.
6. Archive: Store documentation and evidence.

When an incident occurs that impacts Touchpoint Group products or services, the CISO and security team work with the operations and product development teams to identify, mitigate and resolve the issue. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimise product and customer damage or unauthorised disclosure. You will be notified of operational and security incidents in accordance with our Privacy Policy.

We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition.

PERSONNEL SECURITY

Policies

Touchpoint Group has developed a comprehensive set of security policies covering a range of topics as part of its ISMS. Touchpoint Group employees are provided with the relevant policies when joining the organisation. The employment contract includes specific clauses stating they have read and agree to comply with these. In addition the onboarding process for all employees includes specific sections around security and compliance, with more in depth training provided depending on the specific role.

All employees understand that disciplinary action will be taken for non-compliance.

Background checks

Touchpoint Group performs background checks for employment purposes. This specific nature and scope of these checks that Touchpoint Group typically seeks includes inquiries regarding educational background, work history, and references obtained from professional and personal associates as well as criminal background checks, each as permitted by applicable law. These background check requirements apply to all employees and contractors, including those who will be administering systems or have access to customer information.

Confidentiality Agreements

All employees have signed a Non-Disclosure and Confidentiality agreements before gaining access to our code and data.

Employee termination

When an employee leaves Touchpoint Group, the employees manager submits an exiting worker request. Once approved, Touchpoint Group HR initiates an email workflow to inform relevant stakeholders to take specific actions leading up to the employee’s last day. In the event that Touchpoint Group terminates an employee, the HR department sends a similar email notification to relevant stakeholders, including the specific date and time of the employee termination. Touchpoint Group Security then schedules the following actions to help ensure that upon conclusion of the employee’s final day of employment, they can no longer access the Touchpoint Group systems, offices or confidential files:

• Email access removal
• Remote VPN access removal (if applicable)
• Office access invalidation
• System access termination
• Network access termination

If required, managers may escort the terminated employee from the Touchpoint Group offices or building.

Security training programme

All staff undergo security awareness training when they join the company to ensure they understand the company security policies and procedures, and the specific security aspects applicable to their role. This training may be repeated if employees change roles or teams, and all employees take part in an annual security training session to update and refresh awareness.

Security awareness training

The awareness training covers these topics:

• A commitment to information security at Touchpoint Group and the protection of customer data.
• The need to become familiar with and comply with applicable information security policies and processes.
• The personal accountability of each staff member for their own actions and inactions regarding information security.
• Information about important policies and processes.

Role based security training

Staff receive annual training which has four levels depending on the employee role:

1. Introduces basic security concepts, the ISMS, privacy compliance and company security policies and procedures
2. Covers the protocols relating to secure handling of customer data
3. Focuses on security as applied to application developers – covers OWASP and related technical standards
4. Focuses on security as applied to infrastructure and networks

Various teams within Touchpoint Group participate in additional security training, workshops and attend security conferences to increase awareness of how security affects specific roles within the organisation, our products and services, and the company as a whole.

Security team

As part of our commitment to the security of our products and services, Touchpoint Group coordinates all security efforts under the role of Chief Information Security Officer (CISO), The office of the CISO coordinates all product and service security initiatives.

The CISO also manages the Operations and Security teams, who securely maintains the infrastructure and environments used to host all company products, and who act as security consultants to Touchpoint Group product development and operations teams. This team is also responsible for assessing and managing security incidents as well as weaknesses and taking any necessary responsive measures.

The team members work with teams and staff members across the business to strive to achieve the right level of security for products and services and advise these teams on security practices for clear and repeatable processes for development, deployment and operations.

SECURE PRODUCT LIFE-CYCLE

A Secure Product Life-cycle provides guidance and requirements for the development of Touchpoint Group software products and services. The objective of the Secure Product Life-cycle is to embed secure processes and practices into the development culture of the organisation. This is done to ensure that information security is accounted for at every phase of the development life cycle, and as a result, the software and systems produced have a high level of security.

The Secure Product Life-cycle (SPLC) covers the following eight stages:

1. Employee security training
2. Requirements and planning
3. Design
4. Development and testing
5. Staging and stabilisation
6. Deployment
7. Operations and monitoring including intrusion detection
8. Incident management

The Secure Product Lifecycle (SPLC) activities include some or all of the following recommended practices, processes and tools depending on the specific Touchpoint Group product:

• Security training for product teams
• Product health, risk and threat landscape analysis
• Secure coding guidelines, rules and analyses
• Service roadmaps, security tools, and testing methods that guide the product, infrastructure and operations teams to help address the Open Web Security Project (OWASP) top 10 most critical web application security flaws and CWE/SANS top 25 most dangerous software errors.
• Security architecture review and penetration testing
• Source code reviews to help eliminate known flaws that could lead to vulnerabilities
• User-generated content validation
• Application and network scanning
• Full readiness review, response plans, and release of developer education materials

OPERATIONAL SECURITY

Additional information about system and application security for Touchpoint Group Products is available in the sections for Ipiphany, TouchpointMX, TouchpointCX/Loyalty+.

Touchpoint Group corporate locations

Touchpoint Group maintains offices around the world and implements the following processes and procedures company-wide to protect the company against security threats.

Physical security of offices

Every Touchpoint Group office location employs on-site guards and/or electronic surveillance to protect the premises 24x7. Visitors enter through the front entrance, sign in and out with the receptionist, and are accompanied by an employee at all times while on the premises. Touchpoint Group keeps all server equipment, development machines, phone systems, file and mail servers, and other sensitive systems secured at all times accessible only by appropriate, authorised staff members.

Network security

Touchpoint Group platform networks are segregated into logical zones based on trust level. These zones include DMZ for public services, application layer for application services, storage layer for databases and related file storage. This segregation is enforced, such as by utilising a combination of VLANs, Security Groups, Network ACLs and/or Local Firewall Policies. Touchpoint Group's office network is logically segregated based on trust level, e.g. office and guest WiFi.

Access control

Access to systems and data is tightly controlled.

Employee access to customer data

• Touchpoint Group maintains segmented development and production environments, using technical controls to limit network and application-level access to live production systems. Employees have specific authorisations to access development and production systems. Access is given to employees using ‘need to know’ and ‘least privilege’ principles. Access rights are reviewed quarterly. Access is secured through multi-factored authentication and encryption in transit. The allocation and use of privileged access rights is restricted and controlled. Privileged access is only granted to employees requiring elevated access to perform their job responsibilities.
• Customer data will only be accessed as necessary to resolve a support or service issue.
• A robust VPN network is in place for all system administration access. All access for system administration is only available over the VPN network.
• Rules governing the installation of software by users have been established and implemented. Employees are restricted from installing software unless duly authorised.

Backups and restore

Backup copies of information, software and system images are taken and tested regularly. Backups and restore tests are scheduled according to the availability requirements of the information that is being backed up. The schedule is documented and maintained for all critical Touchpoint Group owned systems and data. Backups are held in a geographically separate location from the source data.

Monitoring, logging and review

• Touchpoint Group uses a robust monitoring solution to proactively monitor the Touchpoint Group systems and networks 24/7 in order to maintain uptime and proactively resolve issues. Each system component is monitored, e.g. for excessive resource usage. Automated notifications are in place to notify Touchpoint Group teams of issues or outages.
• Event logs record user activities, exceptions, faults and information security events are regularly reviewed. This includes system and service logs, as well as application logs of all production systems. A central log server receives all critical system logs, analyses them for unusual events, and alerts Touchpoint Group teams.
• Logging facilities and log information are protected against tampering and unauthorised access. Access to the central log server is restricted. Only selected staff can erase logs within the individual systems. Backups of logs are taken as per backup schedule.
• System administrator and system operator activities are logged and the logs protected and regularly reviewed. All administrator and operator logs are kept and protected from being deleted or tampered with.

BUSINESS CONTINUITY

Touchpoint Group's Business Continuity Management Programme works alongside and is embedded in the ISMS. The framework follows the ISO 22301:2012 standard and takes guidance from the BCI good practice guidelines 2018. The programme ensures Touchpoint Group has the ability to rapidly adapt and respond to business disruptions, safeguard people and assets, while maintaining continuous business operations. This is achieved through four principal areas of focus: Business Continuity, Disaster Recovery, Incident Management and Crisis Management. Touchpoint Group maintains its readiness by proactively assessing operational risks, establishing contingency plans, and administering incident response and crisis management training.

Touchpoint Group has established a risk framework (Business Impact Analysis) that accounts for the evaluation of our facilities, technology, applications, data, processes and overall organisation to ensure our risk mitigation strategy operates at multiple levels with broad coverage. The Business Continuity Management Programme includes validation steps to ensure resiliency strategies are effective and meet the policy established by the programme. The validation includes test, exercise, monitoring, internal audit and management review of Business Continuity Programme, including the BCP and Disaster Recovery plans.

Our Disaster Recovery (DR) programme ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

In the event of a business disruption, the BCP and DR allow us to continue operations of critical functions, we accomplish this in part by:

• Using redundant processing capacity at other locations.
• Designing our technology and systems to support the recovery processes for critical business functions.
• Active-standby and/or clustered solutions.
• Selection of suppliers which meet the business availability requirements.
• Using business and technology teams that are responsible for activating and managing the recovery process.
• Failover and DR plans which allow for sufficient restore timeframes as per Business Continuity Management Programme.
• Exercising our recovery procedures and testing those procedures on a regular basis.

INTRODUCTION

Ipiphany, our AI Customer Feedback Analytics tool, uses natural language processing to read and categorise text feedback from sources like reviews, VoC, and surveys to help uncover the impact of issues in the customer’s experience.

We have architected Ipiphany with security considerations at its core. Access to Ipiphany is controlled by a unique user ID that is managed by an administration console, and may be tied into your enterprise directory services. We utilise industry standard software security methodologies for both management and development lifecycles. Data is encrypted in transit, as well as being tracked and monitored throughout its entire lifecycle.

Touchpoint Group utilises best-of-breed hosting through Amazon Web Services (AWS) in a multi data centre configuration to provide you with constantly replicated data backup so your data is available when you need it. Our cloud services are protected, managed and monitored by state of the art solutions. These tools enable us to see exactly what’s happening in the Ipiphany environment, including monitoring of application usage, system activities, and unauthorised intrusion attempts. We employ service clustering and network redundancies to eliminate single points of failure.

APPLICATION AND NETWORK SECURITY ARCHITECTURE

Ipiphany is a SaaS application that utilises a multi-tenant architecture to enforce the logical segregation of customer data within a shared application. The architecture is scalable using service clustering and load balancers to eliminate single points of failure.

Active security designed into the application

The Ipiphany application is implemented using a purposely designed secure application framework that ensures that customers can only access data from the logical partitions they own and manage. This is enforced via an application security layer that verifies that all requests for data, and all returned data, belong only to the logical partitions they are authorised to access.

In actively monitoring all requests, the Ipiphany application framework detects in realtime any unauthorised attempts to access data or to tamper with credentials. Any such attempts are automatically logged and alerted, and depending on the alert level will result in the user and/or IP address being automatically blocked from access.

In addition, the application framework follows best practice security architecture principles such as:

• Authentication, authorisation and access control
• Session management
• Data input validation
• Error handling, logging and reporting
• Encryption over public networks

Network security

Ipiphany networks are configured in line with AWS and industry standard best practice creating a fully redundant and secure network architecture which is designed to mitigate the impact of individual component failure.

Networks are segregated into logical zones based on trust level. This segregation is enforced by utilising a combination of Security Groups, Network ACLs and/or Local Firewall Policies.

Development, testing and production networks are isolated from each other in distinct AWS VPCs.

Data flow

ACCESS AND IDENTITY MANAGEMENT

Entitlement and identity management

Ipiphany uses named user licensing. Three types of named user licensing are available.

• Ipiphany ID is for user managed accounts that are created, owned and controlled by individual users.
• Ipiphany Enterprise ID is an enterprise-managed option for accounts that are created, owned and controlled by company administration users from the customer organisation. The organisation owns and manages the user accounts and all associated assets.
• Ipiphany Single Sign-on is an enterprise-managed account where all identity profiles are provided by the customer’s Single Sign-On (SSO) identity management system and are created, owned and controlled by IT. Ipiphany will integrate with most SAML 2.0 compliant identity providers.

Application and service entitlement is managed through the Ipiphany Administration area of the Ipiphany Console. Once a user has validated themselves to Ipiphany, they will access the services and data which their IT administrators have entitled them through the Ipiphany Administration Console. They can then perform whatever actions are allowed for which they have been entitled.

Access control

Ipiphany includes secure mechanisms for users to set, change and reset their passwords.

Ipiphany ID and Enterprise IDs both leverage modern hash algorithms in combination with password salts. Our product continually monitors user accounts for unusual or anomalous activity and evaluates this information to help quickly mitigate threats to their security and prevent unauthorised access.

These mechanisms manage access in accordance with best practice standards, including:

• Short term user lockout periods after a number of unsuccessful login attempts
• Permanent user lockout periods and automated IP blocking on the detection of repeated attempts to gain unauthorised access

DATA SECURITY AND PRIVACY

Secure data storage in AWS

Ipiphany leverages multi-tenant storage. Customer data is stored redundantly on servers across multiple availability zones to ensure high-availability.

All data stored within Ipiphany is protected by Identity and Access Management (IAM) roles within that AWS Region.

Data encryption and secure management

Communications between customers and Ipiphany are encrypted via industry best-practices HTTPS and Transport Layer Security over public networks. All customer data into or out of Ipiphany occurs over secure channels:

• HTTPS for user upload/export of data or API access
• Permanent user lockout periods and automated IP blocking on the detection of repeated attempts to gain unauthorised access
• Opportunistic TLS for email delivery

Administrative access to the Ipiphany Console by Touchpoint Group staff is protected by multi-factor authentication.

All server file systems of the Ipiphany platform that hold customer data are encrypted at rest using AWS file system encryption.

Data durability and backup

Touchpoint Group stores all Ipiphany customer data in Amazon S3 and Amazon EBS, which provide storage infrastructure with high durability. This is supported by the usage of 3 Availability Zones (the equivalent of 3 distinct data centres) for the Ipiphany platform.

Data backups are performed daily and stored securely across multiple availability zones in S3, for a period of no less than 3 months.

Data residency and geo-location

All data uploaded into Ipiphany by our customers is being held in AWS, with Australia and the US being the primary geo-locations. Customers can choose to locate their data in the US or Australia, with more locations to be added over time.

Data replication for Amazon S3 data objects occurs within the regional cluster where the data is stored and is not replicated to other AWS regions.

To learn more about our third party service providers and their geo-location, please see here.

Data retention and destruction

Touchpoint Group retains data for no longer than three years or as per agreement with the customer. Upon termination of services, Touchpoint Group deletes all customer data. Further, storage media are securely wiped in line with U.S. DoD 5220.22-M as part of the decommission process.

SECURE CLOUD AND PHYSICAL SECURITY

Touchpoint Group physical security is covered under Operational Security here.

As previously covered, components of Ipiphany are hosted on AWS, including Amazon EC2 and Amazon S3. Amazon EC2 is a computer service that provides automatically scalable capacity in the cloud, allowing Touchpoint Group to scale based on customer demand. Amazon S3 is a highly reliable data storage infrastructure for storing any amount of data securely.

AWS security controls and compliance

AWS is compliant with several international security standards which include ISO 27001, SOC2 and others, which are listed here.

Isolation of customer data/Segregation of customers

AWS uses strong tenant isolation security and control capabilities. As a virtualised, multi-tenant environment, AWS implements security management processes and other security controls designed to isolate each customer from other AWS customers. Touchpoint Group uses the AWS Identity and Access Management (IAM) to further restrict access to compute and storage instances.

Secure network architecture

AWS employs network devices, including firewalls and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, exist on each managed interface to manage and enforce the flow of traffic.

Network monitoring and protection

AWS uses a variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools help detect unusual or unauthorised activities and conditions at ingress and egress communication points. The AWS network provides significant protection against traditional security issues such as:

• Distributed Denial of Service (DDoS) attacks
• Man in the Middle (MITM) attacks
• IP Spoofing
• Port Scanning
• Packet sniffing by other tenants

Service monitoring

AWS monitors electrical, mechanical and life support systems and equipment to help with the immediate identification of service issues. In order to maintain the continued operability of equipment, Amazon performs ongoing preventative maintenance.

You can find more information about AWS security controls and compliance on the Amazon website.

Physical security at AWS

AWS data centre locations (Availability Zones) are built to be independent and physically separated from one another. They are designed to anticipate and tolerate failure while maintaining service levels.

AWS provides physical data centre access only to approved employees on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. Once granted admission, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorised staff.

Touchpoint Group employees do not have physical access to the data centre or servers on which Ipiphany is hosted.

Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). Physical access is controlled at building ingress points by professional security staff utilising surveillance, detection systems, and other electronic means. Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations centres for immediate logging, analysis, and response.

Operational support systems are in place to protect the server room and assets. This includes redundant power supply, mechanisms to control climate and maintain an appropriate operating temperature to prevent overheating and reduce the possibility of service outages.

More information about AWS physical and environmental controls is outlined here.

Operational responsibilities of AWS and Touchpoint Group

Amazon operates, manages and controls the components from the hypervisor virtualisation layer down to the physical security of the facilities in which Ipiphany operates. In turn, Touchpoint Group assumes responsibility and management of the guest operating system and application software, as well as the configuration of the AWS-provided security features, e.g. firewalls.

Amazon also operates the cloud infrastructure used by Touchpoint Group to provision a variety of basic computing resources, including processing and storage. The AWS infrastructure includes facilities, network and hardware, as well as the operational software (e.g. host OS, virtualisation software, etc.) that supports the provisioning and use of these resources. Amazon designs and manages AWS according to industry-standard practices as well as a variety of security compliance standards.

TouchpointMX is a powerful, omni-channel marketing platform. It can turn customers from occasional shoppers into loyal brand advocates. This cloud product includes the TouchpointMX Management Console for the management of data and other websites and services depending on the customer’s needs and setup. TouchpointMX can provide email campaigns, microsites, forms, loyalty programmes, surveys, SMS campaigns or custom solutions built on the base of TouchpointMX.

All this is designed with security considerations at its core. Access to data is protected by industry standard software security methodologies for both management and development lifecycles. Data is encrypted in transit, as well as being tracked and monitored throughout its entire lifecycle.

Touchpoint Group utilises best-of-breed hosting for TouchpointMX, in New Zealand via a state-of-the-art data centre and in Australia through Amazon Web Services (AWS). Customers can choose the main location of their data, NZ or AU. Both offer high levels of redundancy, constantly replicated data backup and security managed by an expert team.

TouchpointMX is protected, managed and monitored by state of the art solutions. These tools enable us to see exactly what’s happening in the Touchpoint MX environment, including monitoring of application usage, system activities, and unauthorised intrusion attempts. We employ service clustering and network redundancies to eliminate single points of failure.

APPLICATION AND NETWORK SECURITY ARCHITECTURE

TouchpointMX utilises a multi-tenant architecture to enforce the logical segregation of customer data within a shared application. The architecture is scalable using service clustering and load balancers to ensure high availability and resiliency.

Active security designed into the application

TouchpointMX is implemented using a purposely designed secure application framework that ensures that customers can only access data from the logical partitions they own and manage. This is enforced via an application security layer that verifies that all requests for data, and all returned data, belong only to the logical partitions they are authorised to access.

In actively monitoring all requests, the cloud application framework detects in real time any unauthorised attempts to access data or to tamper with credentials. Any such attempts are automatically logged and alerted, and depending on the alert level will result in the user and/or IP address being automatically blocked from access.

In addition, the application framework follows best practice security architecture principles such as:

• Authentication, authorisation and access control
• Session management
• Data input validation
• Error handling, logging and reporting
• Encryption over public networks

Network security

Application networks are configured in line with industry standard best practice creating a fully redundant and secure network architecture which is designed to mitigate the impact of individual component failure.

Networks are segregated into logical zones based on trust level. This segregation also isolates Development, testing and production networks and is enforced by utilising a combination of local and global firewall policies.

Data flow

ACCESS AND IDENTITY MANAGEMENT

Entitlement and identity management

Customers access data and services in TouchpointMX mainly via the administrative portal, the MX Console. End users access services the customer wants to provide via websites, closed portal, or interactions via email and TXT.

Once customer users or end users have validated themselves to TouchpointMX, they will access the services and data which they are entitled to in the collection of TouchpointMX services that are configured and built for the specific customer.

They can perform whatever actions for which they have been entitled. This could be updating whole data sets by the customer, or the individual data by the end user, posting or replying to an email, creating or filling in a survey, running or taking part in loyalty programs.

Every action or call to an application checks the access permissions, with no exceptions.

Access control

TouchpointMX includes secure mechanisms for users to set, change and reset their passwords which leverage modern hash algorithms in combination with password salts.

Our product continually monitors privileged user accounts for unusual or anomalous activity and evaluates this information to help quickly mitigate threats to their security and prevent unauthorised access.

These mechanisms manage access in accordance with best practice standards, including:

• Short term user lockout periods after a number of unsuccessful login attempts
• Permanent user lockout periods and automated IP blocking on the detection of repeated attempts to gain unauthorised access

DATA SECURITY AND PRIVACY

Secure data storage and durability

TouchpointMX leverages multi-tenant storage. Customer data is stored redundantly on servers or in databases in active-passive configuration to ensure high-availability and high durability.

Data are backed up regularly and stored securely for a maximum of 13 months

• in a secure data centre in New Zealand for TouchpointMX NZ
• across multiple availability zones in S3 for TouchpointMX AU

Data encryption and secure management

Communications between users and TouchpointMX are encrypted via industry best-practices HTTPS and Transport Layer Security over public networks.

• HTTPS for all web access, e.g. for data management or access of websites and portals
• HTTPS for user upload/export of data or API access
• SFTP or HTTPS for automated upload/export of data
• Opportunistic TLS for email delivery

Administrative access to the TouchpointMX Console by Touchpoint Group staff is protected by multi-factor authentication.

All server file systems hosted in AWS and that hold customer data are encrypted at rest using AWS file system encryption (TouchpointMX AU).

Data residency and geo-location

Customers can choose to locate their data, TouchpointMX websites and services in New Zealand or Australia, with more locations to be added over time.

Depending on the country chosen by the customer the active data resides either in NZ or in AU. For disaster recovery purposes, some data and configuration is copied to AWS AU. Note that service and data location cannot be split across TouchpointMX NZ and AU.

Backups stored in Amazon S3 occur within the regional cluster (Australia) where the data is stored and is not replicated to other AWS regions.

To learn more about our third party service providers and their geo-location, please see here.

Data retention and destruction

Touchpoint Group retains data for no longer than three years or as per agreement with the customer. Upon termination of services, Touchpoint Group deletes all customer data within the agreed timeframe or the standard retention time (3 years). Furthermore, physical storage media are securely wiped in line with U.S. DoD 5220.22-M as part of the server decommission process.

SECURE CLOUD AND PHYSICAL SECURITY

Touchpoint Group physical office security is covered under Operational Security here.

As previously covered, TouchpointMX is hosted in New Zealand in a state-of-the-art data centre on physical servers and in Australia using Amazon Web Services (AWS) including Amazon EC2 and Amazon S3.

Data centre security controls and compliance (NZ)

TouchpointMX is hosted on Touchpoint Group owned hardware in colocated racks in a New Zealand data centre. The infrastructure inside the rack is not shared and is managed solely by trained Touchpoint Group staff.

The data centre manages the physical security, power and network redundancy as well as fire detection and suppression systems. It is a secure and widely connected environment with full redundancy and built for high availability. This includes power and cooling in N+1 configuration, high speed connectivity via 3 fibre optic upstream links and 24/7 on-site staff, biometric readers, CCTV and auditable access lists.

The NZ data centre has been independently audited and gained ISO 27001 certification.

For more information about the data centre see here. For more information about how Touchpoint Group manages the security in operations see here.

AWS cloud security controls and compliance (AU)

When using cloud providers like AWS, the operational responsibility is shared, in this case between Touchpoint Group and Amazon.

Amazon operates, manages and controls the components from the hypervisor virtualisation layer down to the physical security of the facilities in which TouchpointMX operates. In turn, Touchpoint Group assumes responsibility and management of the guest operating system and application software, as well as the configuration of the AWS-provided security features, e.g. firewalls.

Amazon also operates the cloud infrastructure used by Touchpoint Group to provision a variety of basic computing resources, including processing and storage. The AWS infrastructure includes facilities, network and hardware, as well as the operational software (e.g. host OS, virtualisation software, etc.) that supports the provisioning and use of these resources. Amazon designs and manages AWS according to industry-standard practices as well as a variety of security compliance standards.

AWS is compliant with several international security standards which include ISO 27001, SOC2 and others, which are listed here.

Isolation of customer data/segregation of customers

AWS uses strong tenant isolation security and control capabilities. As a virtualised, multi-tenant environment, AWS implements security management processes and other security controls designed to isolate each customer from other AWS customers. Touchpoint Group uses the AWS Identity and Access Management (IAM) to further restrict access to compute and storage instances.

Secure network architecture

AWS employs network devices, including firewalls and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, exist on each managed interface to manage and enforce the flow of traffic.

Network monitoring and protection

AWS uses a variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools help detect unusual or unauthorised activities and conditions at ingress and egress communication points. The AWS network provides significant protection against traditional security issues such as:

• Distributed Denial of Service (DDoS) attacks
• Man in the Middle (MITM) attacks
• IP Spoofing
• Port Scanning
• Packet sniffing by other tenants

You can find more information about AWS security controls and compliance on the Amazon website.

Physical security at AWS

AWS data centre locations (Availability Zones) are built to be independent and physically separated from one another. They are designed to anticipate and tolerate failure while maintaining service levels.

AWS provides physical data centre access only to approved employees on the principle of least privilege, where requests must specify to which layer of the data centre the individual needs access, and are time-bound. Third-party access is requested by approved AWS employees, who must apply for third-party access and provide a valid business justification. Once granted admission, individuals are restricted to areas specified in their permissions. Anyone granted visitor badge access must present identification when arriving on site and are signed in and escorted by authorised staff.

Touchpoint Group employees do not have physical access to the data centre or servers on which TouchpointMX is hosted.

Physical access points to server rooms are recorded by CCTV. Physical access is controlled at building ingress points by professional security staff utilising surveillance, detection systems, and other electronic means. Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centres for immediate logging, analysis, and response.

Operational support systems are in place to protect the server room and assets. This includes redundant power supply, mechanisms to control climate and maintain an appropriate operating temperature to prevent overheating and reduce the possibility of service outages.

More information about AWS physical and environmental controls is outlined here.

TouchpointCX and Loyalty+ run on the foundation of TouchpointMX infrastructure and application services. All details about the security in this section also apply to TouchpointCX and Loyalty+.