1. OUR COMPANY AND PRODUCT
J.E.S.I. Management Solutions Pty Ltd takes data security and privacy very seriously. Â Â Our SafetyIQ users are located all over the world and we want to provide with confidence, that our practices and policies we have implemented are aligned to global best practice and continuous improvement management and monitoring.
SafetyIQ is a Software Solution for companies to effectively monitor remote and isolated workers, creating a Safer connected network irrespective of where a worker maybe located. Using SMS or Online check in, users can confirm their Safe arrival. If a SafetyIQ User does not confirm their safe arrival, SafetyIQ automates an Emergency Alert to predetermined contacts.
SafetyIQ is a cloud-based software solution that is accessible across the globe via any device that can connect to the Internet. Â The user does require data connectivity to view data, create, edit or delete a journey and generate an incident alert, however the user does NOT require data connectivity to generate an automated escalation alert. Â The User does require either data or mobile connectivity to confirm a safe check-in.
SafetyIQ was launched as a commercialized entity in March 2014 and has achieved significant growth across the globe and is recognized as industry best practice for managing a workforce who operate in remote and isolated environments.  SafetyIQ aspires to being the number one Risk Management Solution for remote and isolated workers in the world. As such, our commitment to safeguarding our client and user’s data is critical and one that the company takes seriously.
2. ISO 27001 ACCREDITATION & ANNUAL PENETRATION TESTING
As of the 20th October 2021, SafetyIQ Management Solutions Pty Ltd is ISO 27001 Accredited. This means that the company has data security processes align with global best-practice for information security management and demonstrates a robust and practical framework focused on the preservation of confidentiality and integrity.
In addition, SafetyIQ Management Solutions Pty Ltd engages 3rd Party Penetration Services on annual basis. These services identify vulnerabilities within the application and provide defensive capabilities to protect again malicious software attacks.
3. SECURITY CONTROLS
3.1 DATA CENTER SECURITY
SafetyIQ outsources hosting of its product infrastructure with the world’s most recognised data-center provider, Microsoft Azure. Microsoft Azure has the capability to host data in multiple locations across the globe, however we have selected Australia (Sydney) as the primary location for SafetyIQ to be hosted. Australia has a strict regulatory security and privacy framework that is considered to be one of the best in the world AUS Privacy Principles. Microsoft Azure maintains an audited security program, including SOC-2 and ISO 27001 compliance.  Microsoft Azure Compliance Programs. Microsoft Azure Cloud provides built in controls, auditing and managing identity, configuration and usage that support our ability to remain compliant with governance and regulatory requirements.  Their extensive infrastructure guarantees system uptime of 99.95 to 100% and includes power, networking or security considerations. Access to Microsoft Azure physical centres are controlled with security guards and highly classified restrictions for Microsoft Azure Employees. View Microsoft Azure Data centres and controls
3.2 NETWORK SECURITY
Security is implemented in Microsoft Azure Virtual Private Cloud (VPC) security groups, which applies address and port protection to limit what is accessible. This allows for greater control for network traffic from a public networks. We are continually reviewing and improving network security.
3.3 CONFIGURATION MANAGEMENT
The tech tools used to manage the system configurations enables an automated and consistent methodology that safely and predictably; creates, changes, and improves infrastructure. Â It facilitates an automated and systematic approach to storing version controls, reducing errors, duplication, replication and significantly improves efficiencies.
Principles used are aligned to The Twelve-Factor App of storing configuration with the application.
3.4 ALERTING & MONITORING
SafetyIQ has fully automated build procedures that include automated monitoring, alerting and response technologies to continuously alert the SafetyIQ technical team when components of the software are not operating correctly. Â These alerts also include unexpected or malicious activities.
Our technical team operate a 24/7 rostering schedule that ensures timely responsiveness to automated alerts when required.  The SafetyIQ system captures and stores log’s that incorporates other integrated third party technologies. These logs include authentication attempts, permission changes, infrastructure health, and requests performed, among many other commands and transactions. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
At the user front end, all system interaction, page views, and
 other access to the SafetyIQ Software is also logged.  All changes to the codebase require a testing and review process before being deployed.
3.5 ACCESS TO SafetyIQ INFRASTRUCTURE
Access to the SafetyIQ Infrastructure is tightly controlled by the Development Team through Azure Identity and Access Management policies & access keys. All access is tracked, logged, and date stamped.
4. APPLICATION PROTECTION
4.1 WEB APPLICATION SECURITY
Microsoft Azure provides several security capabilities and services for privacy and controlled network access. Network firewalls built into Microsoft Azure VPC, and web application firewall capabilities in Microsoft Azure Web Application Firewall (WAF) allow the creation of private networks, and control access to instances and applications. Microsoft Azure ensure secure connections by using encryption in transit across all services. Protections from Distributed Denial of Service (DDoS) attacks are automatically provided by Microsoft Azure.
Multiple layers of authorization rules are applied to all API interactions to ensure confidentiality between tenants. This ensures that data is not visible between tenants.
4.2 PRODUCT DEPLOYS
SafetyIQ continues to deliver product enhancements, additional features and other technical requirements. Â These varying types of deploys can be administered several times during the day, week, month and year.
Prior to deploying new or additional code, our technical team has a rigorous release process that incorporates functional testing, code reviews, testing and approval to release. If a failure occurs during a deploy, rollback is immediately and automatically engaged. The deploys released to the live production site occur without any disruption for SafetyIQ users.
Major feature or epic releases are controlled extensively in the staging environment and testing is generally undertaken by SafetyIQ Customer Solutions Representatives and if relevant, the engagement of SafetyIQ Clients.
4.3 VULNERABILITY SCANNING & PENETRATION TESTING
The level of maturity associated with our current software development, future product development roadmap and company growth incorporates a future scheduled program that incorporates vulnerability scanning and penetration testing.
We have a comprehensive risk management matrix that is undertaken and maintained for all of the SafetyIQ technology tools.
5. CUSTOMER DATA PROTECTION
5.1 CONFIDENTIAL INFORMATION CAPTURED IN SafetyIQ
The data captured in SafetyIQ includes, Company Names, individual first and last, email address, mobile numbers, job titles and geographic locations.  SafetyIQ does not collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment, financial or health information. View the SafetyIQ Privacy Policy
5.2 CREDIT CARD INFORMATION PROTECTION
Several SafetyIQ Products require customers to pay for the service by credit card. SafetyIQ does not store, process or collect credit card information submitted to us by customers. Our third party vendors are trusted and hold relevant PCI-compliant requirements.  For purchases made directly online via trusted website, SafetyIQ uses Stripe and for online credit payments for invoicing, SafetyIQ uses Pin Payments.
5.3 ENCRYPTION IN-TRANSIT & AT-REST
All interactions with SafetyIQ are encrypted in-transit with TLS 1.2 and above and 2048 bit keys.
All database information is encrypted at rest. SafetyIQ does not permit collecting or storing of sensitive information like financial or health data through its service,
 as outlined in our End User Agreement.
5.4 USER AUTHENTICATION & AUTHORIZATION
The password process is encrypted and secure. Â A new SafetyIQ user is required to create a unique password that is not restrictive, however a 4 digit security code is generated that secures the user identity to their SafetyIQ profile. Additional security for the SafetyIQ user is by way of confirming their mobile number to their last name when first activating their SafetyIQ user profile. If the users mobile number is updated, the user is required to respond to the SMS by confirming with their last name. Â The same process is applied, when a forget or reset password is activated.
SafetyIQ Company Accounts incorporate 4 permission levels and the company/Client is responsible for administering the users permission based on their own internal access roles. For more information about user roles, please view SafetyIQ Company Account Permission Levels.
5.5 SafetyIQ EMPLOYEE ACCESS
SafetyIQ has restrictive controls for SafetyIQ employees accessing data across the entire SafetyIQ infrastructure, to include but not limited to, technology tools that are directly related to the SafetyIQ software, internal corporate functions, production clients and other customer solution tools to manage user interaction. Â Â SafetyIQ employees are granted access to production data based on their role in the company through role based access controls or on an as-needed basis.
Engineers and members of the technical team may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyse information that supports product development or support. Access to the product infrastructure is restricted and requires user authentication and authorization controls. Access to networking infrastructure is strictly limited to members of the Technical team and our data-centre support team.
The SafetyIQ Customer Success Team have access based on their work responsibilities associated with supporting and servicing SafetyIQ Company Accounts. All access requests, logins, queries, page views and similar information are logged.
All SafetyIQ Employees are inducted in to the company and associated policies to include non-disclosure confidentiality agreements.
5.6 PRIVACY
The privacy of our customers’ data is one of utmost importance to SafetyIQ. As described in our Privacy Policy, we do not sell your Personal data to any third parties.
5.7 DATA RETENTION POLICY
Customer Data records are retained for 6 years from the entry date and Customer Data configuration are retained for 6 years from the expiration of the Agreement.
Â
An authorised Customer representative may direct SafetyIQ in writing to delete any Customer Data records or configuration prior the end of the 6-year period. An authorised Customer representative may direct SafetyIQ in writing to retain Customer Data records or configuration for longer than the 6-year period. In both cases, the Customer may be charged for the costs of manually deleting data and/or ongoing costs of retaining the data.
Â
An authorised Customer representative may request SafetyIQ in writing to provide an export of Customer Data records. The Customer may be charged for the costs of exporting this data.
Â
Customers are advised to request exported data for their own internal retention, as some jurisdictions require data retention of up to 75 years for records relating to incidents that result in serious personal injury, or incapacity to employees.
Â
6. BUSINESS CONTINUITY & DISASTER RECOVERY
SafetyIQ maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, SafetyIQ’s goal is to quickly and transparently isolate and address the issue.
Infrastructure is replicated and distributed across 2 distinct availability zones within Microsoft Azure, to allow full redundancy.
6.1 BACKUP STRATEGY
Full database backups occur as a minimum once a day and stored on a distributed file storage facility. Backups are tested and retained indefinitely or as required by company policy. Backups are encrypted and have strict access policies.
6.2 SafetyIQ SOFTWARE INCIDENT MANAGEMENT
SafetyIQ Management Solutions Pty Ltd provides 24×7 coverage to respond quickly to all security and privacy events. Many automated processes feed into the incident response
 process, including malicious activity or anomaly alerts, third party alerts, customer requests, security events, and others.
In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate back to the customer (and any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident.
Our Data Protection Officer reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
6.3 SafetyIQ DATA BREACHES
SafetyIQ considers all data breaches serious and have several automated alert mechanisms in place to identify if a data breach has occurred within the SafetyIQ Hosted Environment. Â Primarily the alerts identify unauthorized access to the SafetyIQ hosted infrastructure and associated third party technology providers.
If a data breach has occurred, the initial analysis is to determine the extent of the breach, who may have been impacted, the type of breach and how to immediately quarantine or disable if necessary.
Once the breach has been effectively triaged, the SafetyIQ Data Protection Officer is appointed to communicate the data breach to those impacted, to advise what the breach was/is, who has been impacted, how they may be impacted and if at that time, a resolution to resolve the breach has been deployed or actioned. Â The timeframe for disclosure of the data breach to the respective parties is within 72 hours of the breach having been identified and assessed.
Post the outcome of the data breach, the SafetyIQ technical team initiate further investigations to identify the root cause, and implement modifications as required to prevent further breaches.
7. SafetyIQ CUSTOMER RELATIONSHIP MANAGEMENT (CRM)
SafetyIQ maintains a Customer Relationship Management (CRM) that captures customer/client data that includes, Company Names, First/Last names, email, mobile and other phone numbers, communication correspondence, SafetyIQ proposals and other customer related information. Access to the CRM data is limited to a small set of SafetyIQ employees based on their roles, and access is limited to the individuals who need it to respond to customer support and related requests.
SafetyIQ uses other communication tools to keep prospective clients up to date with the company progress, enhancements, case studies and general SafetyIQ information. Â The data captured includes Company Names, First/Last, email, job title. There is an opt out/in feature available that allows self-subscribed or to unsubscribe. Â Subscribers on the list are added by self-subscribing via the SafetyIQ website.
Other SafetyIQ communication is to the SafetyIQ users, by way of the SafetyIQ Checkin Newsletter. Â The primary purpose of the SafetyIQ Checkin is to keep SafetyIQ users up to date with product enhancements, new features and other information that directly relates to the SafetyIQ Software.
SafetyIQ does not sell or share lists with any third parties.
8. CERTIFIED TECHNOLOGY
SafetyIQ maintains a Technology Risk Register that provides oversight to a variety of third party technology tools that manage all associated functions with the SafetyIQ Software, Client Management, Communication and Corporate Governance. Â This process ensures that the third party technology tools that are used or integrated hold industry best practice with respect to privacy and security certifications.
Our primary Sub-processors include Microsoft Azure, Google and Twilio.
9. OUR COMMITMENT TO GDPR
The General Data Protection Act (GDPR) is considered the most significant piece of European data protection legislation to be introduced in the European Union (EU) and is effective as of  25th May 2018.  GDPR Requirements
As SafetyIQ is a provider of services for clients located in the EU, we have an obligation to ensure compliance. Â In our view the requirements are industry best practice and set a global benchmark in data security.
We have created a checklist that identifies our progress in meeting the GDRP requirements. SafetyIQ Checklist GDPR
10. DISCLAIMER
SafetyIQ values transparency in the way we manage the security and privacy of our user’s data and are continuously improving our process and system security.
This document is intended to highlight the methods, approaches and process we have in place to demonstrate our commitment to providing best practice for both the SafetyIQ business, SafetyIQ Account Companies, Subscribers and Users.
