Secure by design

Your trust is important.

TIQK is a modern cloud platform with security controls and data protection at its core and our security is constantly maintained, enhanced, and verified.

System health & performance monitoring

The TIQK (tiqk.io) client cloud platform is monitored 24hours a day, 7 days a week, 365 days a year.

Clients can view availability reports, maintenance information, and Service Level statistics at any time on the System Status site, and subscribe to incident updates.

Visit the TIQK System Status site

Data residency

Platform data

All client data related to the primary function of the TIQK platform (“platform data”) that are uploaded and processed on the TIQK platform remains resident in the AWS Asia Pacific – Sydney Region (ap-southeast-2) and Azure Australia South-East or Australia East Regions at all times. This includes all platform data backups.

Non-platform operational data

Other non-platform data related to client account management may be stored and processed by our third-party service providers inside and outside of Australia. These include:

  • Credit card payment processing

  • Direct Debit payment processing

  • Anonymised website visitor analytics

  • Email mailing list management, if you opt-in

  • General email communication and any non-platform data document sharing with TIQK; client implementation project management: Australia data residency for email and client related file storage

Data encryption

In-transit

The connection between you and TIQK is always encrypted with industry-standard Secure Sockets Layer (SSL) technology. All information that goes between you and TIQK can only be read by your computer and our servers.

When using our websites you can verify this by clicking the padlock icon next to the website address in your web browser:

In-platform

All transmission of data within our cloud platform – e.g. between databases and other parts of our system – is fully encrypted.

At-rest

All files (and all system-generated representations of those files) uploaded by clients are fully encrypted when physically stored on our platform.

Data segregation

Client files and account data

Clients are located on and authenticate to the same cloud infrastructure (a “multi-tenant” platform). Sensitive client data (e.g. uploaded files) are isolated in client-unique folders in AWS S3 in an isolated “Production” environment. Non-sensitive data (e.g. organisation profiles, audit results and analytics that do not contain client identifiable information are contained in shared database and file system structures but are otherwise isolated from a client perspective.

Custom Business Rules

Rules designed to perform non-client specific risk and compliance assessments may be used in the file review process for multiple clients. Rules designed with and for a specific client (“Custom Business Rules”) are isolated and used in the file review process for that client only. A client’s Custom Business Rules can be deleted from the platform (and all backups) upon request, and are deleted if client closes their TIQK account. Custom Business Rule content and related metadata are stored in secure locations; protected with multiple security controls; and cannot be accessed directly by end users.

A.I. machine learning models

The TIQK platform includes a variety of trained A.I. / machine learning models. Models trained with generic, non-client specific datasets may be used in the file review process for multiple clients. Models trained with datasets supplied by a client are isolated and used in the file review process for that client only. Models trained with datasets supplied by a client can be deleted from the platform (and all backups) upon request, and are deleted if client closes their TIQK account. Trained model files and related metadata are stored in secure locations; protected with multiple security controls; and cannot be accessed directly by end users.

Data leakage protection

We employ a variety of architecture and security features designed to minimise the risk of data leakage across and out of accounts, and we do not implement or offer bulk data transfer options between lifecycle environments (“Development”, “Stage”, and “Production”).

TIQK’s security model prevents cross-client data access, validated by independent, third-party security architecture review and testing.

Isolated infrastructure option

An option is also available for clients that wish to store and process data in completely isolated (“single-tenant”) cloud infrastructure managed by TIQK.

Data sharing and privacy

Uploaded client documents and review results, Custom Business Rules, and custom A.I./machine learning models are not shared by TIQK with any third party without your express permission.

Account data such as information related to subscription, billing, email addresses for opt-in mailing list membership, and project / implementation related data, may be shared with and stored on third-party platforms in order to provide the service  – see above.

Our Privacy Policy tells you what kinds of personal information we may gather or hold about you, how we may use that information, whether we disclose it to anyone, the choices you have regarding our use of that information, your ability to access or correct that information and how you may complain should you believe we have breached our privacy obligations.

Incident / data breach management

TIQK has a duty of care. If a data breach occurs, we must notify affected clients immediately.

TIQK has implemented a Data Breach Response policy based on industry standards that clearly defines a breach; staff roles and responsibilities; standards and metrics (including prioritisation); and reporting, remediation, and feedback mechanisms.

We operate systems to detect and prevent unauthorised or anomalous network traffic behaviour.

Business Continuity / Disaster Recovery

We have implemented a Business Continuity Plan (plus Incident Management & Service Desk policy and procedures) based on a globally-accepted IT operations governance model

TIQK operational platform recovery targets are:

  • Recovery Point Objective (RPO) of 1 hour or less, and
  • Recovery Time Objective (RTO) of 2 hours or less;

We operate an isolated AWS second-site in the Australia region for Disaster Recovery purposes: all files uploaded by clients are regularly backed up on redundant, isolated account in the AWS Asia Pacific – Sydney Region (ap-southeast-2).

TIQK’s backup infrastructure operates under the same security controls as TIQK’s primary cloud infrastructure and are primarily designed to support disaster recovery / business continuity operations.

If a client ends their agreement with TIQK and terminates their TIQK service the client’s platform data is immediately removed from TIQK’s live systems:

  • TIQK may retain up to a maximum of seven (7) days of backups of platform data
  • After the backup period of time has passed, the client’s platform data is automatically deleted and is no longer accessible to the client, TIQK systems, or on backup media

TIQK may offer clients with specific data retention policies an alternative data retention on termination period.

Login security

We enforce strong passwords (mix of alphanumeric and cases, symbols, minimum password length). Passwords are not stored as clear-text in our systems. We store a hash of the password which cannot be converted back into your actual password.

We support Two Factor Authentication (2FA) on a per-user basis. Users can opt-in to use one-time-use codes generated by a standard Code Generator App (or received via SMS) as a second level of protection on TIQK login.

Activity logging / auditing

The TIQK platform performs comprehensive activity auditing/logging for:

  • Account creation, verification, updates, and deletions

  • Logins

  • Team and User management

  • Document uploads and deletions

  • Document audits, audit results, and audit result deletions

  • Subscription management

Secure payment processing

TIQK uses Xero (xero.com) for invoicing clients.

Credit card processing for TIQK subscriptions are managed by Stripe (stripe.com), a globally-recognised leader in online and mobile payment services.

Direct Debit processing for TIQK subscriptions are managed by GoCardless (https://gocardless.com/en-au/).

Secure engineering

Development lifecycle

  • We operate isolated “Development”, “Staging”, and “Production” environments

  • We operate automated unit testing and code merging (based on merge requests passing manual peer reviews)

  • We perform functional User Story, Bug, and HotFix testing in the “Development” environment using a combination of automated and human-testing

Our “Production” deployments:

  • Are coordinated with the TIQK Customer Success team for minimum impact on clients

  • Are controlled: a very limited number of authorised employees have access to authorise a deployment

  • Follow a Blue/Green deployment process

Application security

The TIQK application platform is a modern, multi-tier, micro-services based architecture that isolates client data from direct Internet access. We maintain documented application development security standards. We utilise industry standards to build-in security for our systems and Software Development Lifecycle (SDLC): NIST, OWASP Top 10, …) and have documented policies and procedures based on a globally-accepted IT operations governance model.

We use a distributed version control model (Git) and we limit developer access to source code on a per-repository basis; and perform static code analysis and automated vulnerability testing prior to each release.

We conduct automated penetration testing regularly; and have engaged a third party penetration testing service.

The TIQK platform has controls in place to prevent common malicious input techniques; and all successful / unsuccessful login attempts are logged, and the platform monitors unsuccessful logins to react to and prevent brute force attacks.

The TIQK application captures granular and comprehensive activity logging data and we capture infrastructure and application performance and security logs in vendor services and in a dedicated third-party infrastructure monitoring service.

The TIQK platform does not make use of any hardcoded passwords; and we do not store sensitive keys or other credentials in source code.

Access for regulatory authorities and law enforcement

To the extent that we are bound by law to provide such information TIQK will comply with these requests.

Employee, contractor training & vetting

Information security and data privacy requirements are documented and communicated to all employees who have the responsibility for platform and data design, implementation, and management.

All employees and contractors who have access to TIQK infrastructure and data must go through an extensive vetting process operated by a qualified third-party organisation, which may include police background checks.

All employees and contractors are required to take relevant privacy training during onboarding; on-demand; and when joining a team that has direct access to client data.

All employees and contractors sign non-disclosure terms that include client information.