Data Centers and Location:
The Circle In platform is hosted on the Amazon Web Services’ (“AWS”) ECS platform. AWS maintains multiple certifications for its data centers, including ISO 27001 and 27018 compliance, PCI Certification, and SOC reports. For a complete overview of their certification and compliance, please visit the AWS Security website and the AWS Compliance website.
We maintain separate and distinct production and development environments for the Circle In platform. To access Circle In’s production environment, authorized and trained members of Circle In’s engineering team authenticate and obtain temporary access keys via AWS IAM with 2FA.
Circle In employs the use of a Web Application Firewall (WAF) to protect against numerous common exploits and attacks including DDoS. AWS Network ACL and Security Groups are used to restrict access to Circle In’s systems as appropriate to their role following the principle of least privilege. All servers are located within Private VPC’s. Public access is restricted to port 443 and 80 on network load balancers for public traffic. All other external network access is restricted.
All Circle In infrastructure is hosted in AWS with no servers on-premise. The Circle In office is part of a multi-tenanted building with all access via keyed entryways. External access to the building requires the use of swipe cards outside of the standard working hours of 8am to 6pm, Monday to Friday.
Circle In uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. There is no non-TLS option for connecting to Circle In. All connections are made securely over HTTPS. All internal message queues are encrypted using AES-256 GCM.
All Circle In customer data is secured at rest using industry-standard AES-256 encryption.
All encryption keys are managed by Amazon. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process.
Development, Patch and Configuration Management:
All changes to the Circle In platform (software and infrastructure) are managed using code. Any change needs to follow a defined continuous integration and deployment (CI/CD) process which involves building the software, running automated system and unit tests, packaging of change artifacts, deployment and testing on a staging environment, before finally applying via a gated deployment to production. All changes are vetted via a mandatory peer-review process, and stored within versioned code repositories.
The Circle In platform uses AWS CloudTrail to monitor changes to infrastructure. All platform generated logs are written to AWS CloudWatch with an unlimited retention period.
Circle In maintains a register of all assets whether that be computers, laptops, mobile & tablet devices, or removable storage.
As of writing, we have the option of hosting your data in AU, US and the UK. Further regions may be available if requested; ask your sales representative if you have a need to be hosted in a specific region for data sovereignty or legal purposes.
Circle In maintain internal Information Security and Information Classification and Handling policies. We also have a documented Secure Deletion and Disposal policy.
User data is retained for the duration that you are a registered customer. 30 days after termination of contact all user data is removed.
General Data Protection Regulation (GDPR):
Circle In complies with the requirements of the Privacy Act 1988 (Australia) (Privacy Act), the European General Data Protection Regulation (GDPR), the California Consumer Privacy Act 2018 (CCPA) and other applicable privacy and data protection laws (together, the Privacy Laws) in the collection, storage, transfer, processing, retention and deletion of the Personal Information that we collect from (you, your). Please see our privacy page for more details.
Circle In has the following RPO and (RTO) targets.
- Loss of database: 1 hour (12 hours)
- Server Outage: 1 hour (12 hours)
- Major Region outage: 1 day (1 day)
- Loss of AWS service: 8 hours (1 day)
Further details are contained within our Disaster Recovery policy.
- Database – daily snapshots with 7 days retention
- S3 File storage – versioning enabled buckets
All backups are stored securely cross-region.
Availability and Resiliency:
The Circle In platform has been designed to keep running even if the underlying infrastructure experiences an outage or other significant issue. All services that make up the Circle In platform are highly-available. We use a combination of database clusters, containerization, load balancing and HA messaging queuing in order to ensure that there are no single points of failure in the system.
Disaster Recovery Policy:
Circle In has a 99.95% uptime SLA, which is subject to scheduled maintenance outages and matters beyond Circle In’s reasonable control.
Incidents and Response:
|Crisis||Circle In platform is unavailable or unstable||Work begins with 1 hour from report with a temporary resolution within 2 hours and a final resolution within 8 hours|
|Severity 1||The Circle In platform or performance is degraded in a way that severely impacts normal use||Work begins with 2 hours from report with a temporary resolution within 4 hours and a final resolution within 24 hours|
|Severity 2||A non-essential Circle In service is degraded or unavailable||Work begins with 48 hours from report with a temporary resolution within 7 days and a final resolution within 30 days|
|Severity 3||Minor or cosmetic issues with the Circle In platform|
All feature requests
|Resolution at Circle In’s discretion|
Circle In supports both internal and SSO authentication.