Security Statement
Our clients have entrusted MirrorWave with their data, and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. MirrorWave uses some of the most advanced technology for Internet security that is commercially available today. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
Application and User Security
- All sensitive communications with the MirrorWaveFeedback.com website, such as the user login page, are sent over SSL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology (the successor technology to SSL) protect communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.
- User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. MirrorWave issues a session cookie only to record encrypted authentication and state information for the duration of a specific session. The session cookie does not include the password of the user.
- User Passwords: User application passwords have minimum complexity requirements and are encrypted before storing in our database. Multi Factor Authentication is available.
- Data Portability: MirrorWave enables you to export your data from our system so that you can back it up, or use it with other applications.
- Privacy: This Security Statement should be read in conjunction with our privacy policy , which explains how we process personal information, who we share it with and how long we retain it.
- Third Party Scans: Standard penetration testing of the server and application for application level vulnerabilities is undertaken.
Data Centre
- Data Centres: Our information systems infrastructure (servers, networking equipment, etc.) is hosted by Microsoft Windows Azure who operate SSAE 16/SOC 2 audited data centres. A copy of their Security, Privacy and Compliance policies can be found here.
- Location: All user data is stored on servers located in Australia Southeast (Victoria).
Availability
- Uptime: We carry out continuous uptime monitoring, and any downtime identified is escalated directly to MirrorWave staff.
- Failover: Our database is log-shipped to standby servers to enable us to promptly failover to those standby servers.
Network Security
- Third Party Scans: Network port scanning, vulnerability scanning and manual penetration testing is performed, using OSSTM standards as a base minimum.
- Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to testing prior to deployment to active production systems.
- Patching: Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
- Logging and Auditing: Central logging systems capture and archive all server access including any failed authentication attempts.
Storage Security
- Backup Frequency: Both the SQL database, and the Windows Azure storage are themselves fully backed up according to the Windows Azure SLA. SQL server does a full back up twice a day, and transactional backups every hour. This data is further backed up by copying and storing offsite using Windows Azure Storage.
- Backup Location: Windows Azure backups use paired locations for disaster recovery. The paired location for Australia Southeast is Australia East.
Organisational & Administrative Security
- Employee Screening: We perform background screening on our employees whose primary role includes access to sensitive user data.
- Training: We provide security and technology use training for employees.
- Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.
- Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.
- Audit Logging: We maintain and monitor audit logs on our services and systems.
Software Development Practices
- Coding Practices: Our engineers use industry-standard secure coding guidelines to ensure secure coding.
- Third Party Scans: In-depth review of the applicable source code related to the project, looking for security vulnerabilities both at the application level and the configuration level is undertaken.
Handling of Security Breaches
- Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if MirrorWave learns of a material security breach, we will use reasonable efforts to notify affected users so that they can take appropriate protective steps. We will do this by providing email notices or posting a notice on our website if a material breach occurs. We will also comply with all applicable data breach notification laws.
Your Responsibilities
- Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to protect your data.
Questions?
If you have any questions about MirrorWave’s security practices, please email us at support@mirrorwave.com.
Last updated: 10 September 2024