Security

Data Centers and Location

The Circle In platform is hosted on the Amazon Web Services’ (“AWS”) ECS platform. AWS maintains multiple certifications for its data centers, including ISO 27001 and  27018 compliance, PCI Certification, and SOC reports. For a complete overview of their certification and compliance, please visit the AWS Security website and the AWS Compliance website.

Production Environment

We maintain separate and distinct production and development environments for the Circle In platform. To access Circle In’s production environment, authorized and trained members of Circle In’s engineering team authenticate and obtain temporary access keys via AWS IAM with 2FA.

Network Security

Circle In employs the use of a Web Application Firewall (WAF) to protect against numerous common exploits and attacks including DDoS. AWS Network ACL and Security Groups are used to restrict access to Circle In’s systems as appropriate to their role following the principle of least privilege. All servers are located within Private VPC’s. Public access is restricted to port 443 and 80 on network load balancers for public traffic. All other external network access is restricted.

Physical Security

All Circle In infrastructure is hosted in AWS with no servers on-premise. The Circle In office is part of a multi-tenanted building with all access via keyed entryways. External access to the building requires the use of swipe cards outside of the standard working hours of 8am to 6pm, Monday to Friday.

Encryption In-Transit

Circle In uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. There is no non-TLS option for connecting to Circle In. All connections are made securely over HTTPS. All internal message queues are encrypted using AES-256 GCM.

Encryption At-Rest

All Circle In customer data is secured at rest using industry-standard AES-256 encryption.

Encryption Keys

All encryption keys are managed by Amazon. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process.

Development, Patch and Configuration Management

All changes to the Circle In platform (software and infrastructure) are managed using code. Any change needs to follow a defined continuous integration and deployment (CI/CD) process which involves building the software, running automated system and unit tests, packaging of change artifacts, deployment and testing on a staging environment, before finally applying via a gated deployment to production.  All changes are vetted via a mandatory peer-review process, and stored within versioned code repositories.

Event Logging

The Circle In platform uses AWS CloudTrail to monitor changes to infrastructure.  All platform generated logs are written to AWS CloudWatch with an unlimited retention period.

Asset Management

Circle In maintains a register of all assets whether that be computers, laptops, mobile & tablet devices, or removable storage.

Data Sovereignty

As of writing, we have the option of hosting your data in AU, US and the UK. Further regions may be available if requested; ask your sales representative if you have a need to be hosted in a specific region for data sovereignty or legal purposes.

Information Classification

Circle In maintain internal Information Security and Information Classification and Handling policies.  We also have a documented Secure Deletion and Disposal policy.

Data/Account deletion

User data is retained for the duration that you are a registered customer.  30 days after termination of contact all user data is removed.

General Data Protection Regulation (GDPR)

Circle In complies with the requirements of the Privacy Act 1988 (Australia) (Privacy Act), the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act 2018 (CCPA) and other applicable privacy and data protection laws (together, the Privacy Laws) in the collection, storage, transfer, processing, retention and deletion of the Personal Information that we collect from (you, your). Please see our privacy page for more details.

Recovery Policy

Circle In has the following RPO and (RTO) targets.

  • Loss of database: 1 hour (12 hours)
  • Server Outage: 1 hour (12 hours)
  • Major Region outage: 1 day (1 day)
  • Loss of AWS service: 8 hours (1 day)

Further details are contained within our Disaster Recovery policy.

Backup Interval

  • Database – daily snapshots with 7 days retention
  • S3 File storage – versioning enabled buckets

Backup Storage

All backups are stored securely cross-region.

Availability and Resiliency

The Circle In platform has been designed to keep running even if the underlying infrastructure experiences an outage or other significant issue.  All services that make up the Circle In platform are highly-available. We use a combination of database clusters, containerization, load balancing and HA messaging queuing  in order to ensure that there are no single points of failure in the system.

Disaster Recovery Policy

Circle In has a 99.95% uptime SLA, which is subject to scheduled maintenance outages and matters beyond Circle In’s reasonable control.

Incidents and Response

In the situation of a cyber incident, we categorise incidents to assist with identifying the urgency, escalation, and decision making relating to the issue.  The following outlines our incident priorities and their expected resolution times:

LevelDescriptionResolution
CrisisCircle In platform is unavailable or unstableWork begins with 1 hour from report with a temporary resolution within 2 hours and a final resolution within 8 hours
Severity 1The Circle In platform or performance is degraded in a way that severely impacts normal useWork begins with 2 hours from report with a temporary resolution within 4 hours and a final resolution within 24 hours
Severity 2A non-essential Circle In service is degraded or unavailableWork begins with 48 hours from report with a temporary resolution within 7 days and a final resolution within 30 days
Severity 3Minor or cosmetic issues with the Circle In platform
All feature requests
Resolution at Circle In’s discretion
 

User Authentication

Circle In supports both internal and SSO authentication.