Security policy

SMSF DataFlow are committed to maintaining a secure environment for transmission of data between our service and you and for storage of data at all times. We take a multifaceted approach to meet this commitment. A fundamental element of safeguarding your confidential information is to provide protection against unauthorised access or use of this information. Unauthorised access takes many forms and requires a comprehensive response:

In-transit data-transmission:
Sensitive information is encrypted during transmission over the Internet, because it is easy and common for a hacker to intercept and/or divert data while in transit.
Strong cryptography is used for B2B transfers of customer data as well as end-user point-to-point transmission channels. The encryption used for end-user Web access takes the form of TLS encryption using strong ciphers with older vulnerable protocols being disabled.

Authentication and authorisation:
SMSF DataFlow’s entire system is based on the concept of access on a need-to-know basis only. This is coupled with the use of privileges based on individual credentials. These are mapped in a highly granular fashion to ensure an individual user has access to only the data that they are entitled to view and modify.
This is a logical partitioning. Our access control mechanism conforms to a rigidly implemented Business, Brand, Fund hierarchy. These elements permeate the system and prevent any unauthorised access.

Intrusion and system vulnerabilities:
SMSF DataFlow conducts various activities to guard against these vulnerabilities. These largely fall into four areas:

  • Topologies and devices: Network design and configuration
  • Change Control: Process and procedure safeguards
  • Vulnerability management: Regular security patches, Periodic Penetration Tests, Password Strength measures, Control of Credentials.
  • Defense in depth: In addition to these specific individual areas, we use a layered architecture (with a clear separation of User Interface, Business Logic and Data Access code) which prevents against most opportunistic intrusion techniques such as SQL injection. Appropriate validation is also used to guard against such attacks.

Hardware and system failure:
SMSF DataFlow expressly protects against two specific risks - loss of system availability and loss of data. The measures below apply to both risks.
SMSF DataFlow operates a High Availability system. Hardware redundancy exists at all layers, and in most cases failover is automatic.
SMSF DataFlow's redundant database hardware receives an automatic data replication which duplicates the production data with a Business-Day Respose Point Objective (RPO) of fifteen minutes.
The automatic data replication service also targets two off-site locations (with the same PRO).
One of those offsite locations is SMSF DataFlow’s Disaster Recovery (DR) site. This is located in another state and if a Disaster occurs that permanently disables SMSF DataFlow's primary production location then operations can be shifted to the DR site.

Changes
SMSF DataFlow may update this Security Policy from time to time to reflect company and customer feedback or improve the services provided.

Questions or comments
If you have any questions of comments concerning SMSF DataFlow's Security Policy please contact us at support@smsfdataflow.com.au