Survey Software Australia – Spark Chart Security for accounts subscribed to our Australian Server
This document outlines the Spark Chart survey software in Australia security framework for accounts subscribed to our Australian server. It is important to note that the information collected, along with the cyber security considerations, will depend on the surveys and fields created by Spark Chart clients when designing and deploying surveys.
Data storage location
Spark Chart has a dedicated server with Digital Pacific. Data is stored in Australia.
Security Assurance Frameworks
For survey software accounts subscribed to the Spark Chart Australian server, Digital Pacific (https://www.digitalpacific.com.au/network/data-centres/) hosts the Spark Chart software in Australia at their Sydney data centre. Their systems are secured in facilities that meet the requirements for a security zone suitable for their sensitivity or classification. Their servers are hosted in Equinix SY5, which is a secure facility that is compliant with many internationally recognised security standards, including: SOC 1 Type II, SOC 2 Type II, ISO 27001, PCI, DSS, ISO 9001:2015, ISO 22301 and ISO 14001. The site is DTA Certified and it is designated as Certified Strategic.
Here is more information about their infrastructure and the security standards that Equinix SY5 is compliant with:
https://www.equinix.com.au/data-centers/design/standards-compliance#/
https://www.equinix.com.au/data-centers/design/standards-compliance#/
Digital Pacific operates services in Equinix Sydney, with primary services hosted in Sydney and redundant infrastructure services in Melbourne. Sydney is the largest corporate and financial centre in Australia. The Equinix Sydney Data Centre operate N+1 across all critical infrastructure with regular testing and maintenance providing supreme uptime and reliability.
Digital Pacific data centre features and information relating to Facility Protection, Facility Security, Data Connectivity, DNS replication and Network Features are outlined here: https://www.digitalpacific.com.au/network/data-centres/. Digital Pacific is SOC 2 Type II accredited (among many other accreditations) – A standard designed for technology companies, including: data centers, IT managed services, SaaS vendors, cloud-computing based businesses and other technology. SOC2 criteria is based on the Trust Services Principles (TSP) of security, availability, processing integrity, confidentiality and privacy as well as controls outside of financial reporting. They are also ISO27001 accredited – An internationally recognized best practice framework that specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System
(ISMS). ISMS is a systematic approach to managing sensitive company information including people, processes and IT systems.
Data ownership
As per our Privacy Policy https://www.sparkchart.com/privacy-policy/ if you develop and distribute surveys the survey data created in surveys is owned by the survey creator. So, Spark Chart clients retain ownership of their data. Section 4.1 in our Privacy Policy states:
“4. If you develop and distribute surveys
4.1 The survey data created in your surveys is owned by you, the survey creator. Spark Chart treats surveys as if they were private. We do not sell your survey data to anyone. We do not use your survey data for any purpose unrelated to you or our Services, unless you give us permission to do so or we are compelled by law.”
Data recovery
Backups are performed daily. Digital Pacific server reliability, uptime, backup and disaster recovery is summarised here: https://www.digitalpacific.com.au/network/reliability-uptime/
We scan regularly for security vulnerabilities
Spark Chart uses Burp Suite Professional (https://portswigger.net/burp/pro/features) for penetration testing. We perform penetration testing at least twice yearly. On request from clients we have previously engaged 3rd parties to conduct pen testing for a fee chargeable to those clients.
As we have an ongoing development cycle with regular updates, the application is regularly tested. Any third party libraries used are always checked for validity and maintained with updates as required. We stay informed of security advisories for our choice of development platforms.
System monitoring and alerting
In addition to penetration testing and 24×7 server management by Digital Pacific and Equinix, we have various alerts set up for suspicious attempts to access urls or attempt to search any library files that may lead to an intrusion vector. E.g. we monitor attempts to hit our system through known systems, like WordPress, Laravel etc, by trying to access specific files identified in security advisories. Such connections are then blocked at the firewall.
We should make it clear that our software is not based on either of those systems, but when an advisory is issued, it’s common for bad actors to attempt using them to gain access to applications. User access to the system is logged.
Other cyber security measures
In addition to the Digital Pacific and Equinix cyber security protection outlined in other sections, we have secure passwords to all our hosting environments. Passwords are not reused and regularly changed. Only Spark Chart directors have access codes to hosting environments. No external parties get access to live environments. All connections are via SSL, and use SSH where appropriate.
Client and user passwords are never stored in plain text format. In order to provide user support in some situations, Spark Chart support staff may seek user permission to access accounts in order to provide technical help.
Third party access
Spark Chart uses several external applications for mail delivery, subscriptions and accounting and third party integration applications. Slack (slack.com) and Zapier (zapier.com) may have access to your data, but only if enabled, configured and explicitly approved by account administrators. However, no survey records are stored or transmitted to these providers or outside the Spark Chart secure data hosting environment. Spark Chart uses SparkPost (https://www.sparkpost.com/) for email delivery. SparkPost is the world’s largest and most reliable email sender, delivering nearly 40% of all commercial email globally—that’s over 6 trillion sends annually—and also has the world’s largest email data footprint to help enterprise-level brands make data-driven decisions to improve their email performance. Spark Chart uses Chargebee (chargebee.com), Stripe (stripe.com) and Xero (xero.com) for our secure subscription and billing system.
Secure gateway environment
Digital Pacific and Equinix Data Centre have a secure gateway environment. We use advanced security equipment, techniques and procedures to control and monitor access to our International Business Exchange™ (IBX®) data centers. Access involves typically passing through five security checkpoints that include 24/7 manned security stations, mantraps and biometric readers. Low-profile building design allows a high level of security within the data center. More information is available here: https://www.equinix.com/datacenters/design#:~:text=We%20use%20advanced,the%20data%20center.
Spark Chart does not have a secure gateway environment for our staff as we do not have an on premises office. All our work is cloud based.
Further information
The Spark Chart System Architecture Overview https://www.sparkchart.com/system-architecture/ provides a high level overview of the Spark Chart survey software system and architecture. Please read this document in conjunction with the Spark Chart Privacy Policy, Data Processing Agreement and Terms & Conditions.