Data security
Data security in transit
All data transactions between users, servers and API partners occur over a secure transit layer (SSL). Login and registration information, documents and signatures are all secured. No information is retained on user browsers, as we do not use cookies or save login information.
All transitions across our data centre occur over a secure channel. Access to our data centre (for maintenance and upgrades) is restricted to physical access at our office in Melbourne.
Data security at rest
All data entry documents and files are encrypted at rest using AES-256 technology over SQL Server. File access is restricted via private keys, only to authorised users (as per internal security setup, see Access Control).
Our data centres utilise state-of-the-art digital surveillance and security equipment to prevent unauthorised access. We have a multi-layered access system, utilising Biometric access points, proximity card readers, 24-hour on-site security controls, integrated Building Management, Security and CCTV systems and perimeter security controls.
Where is your data stored?
Your data is stored at Microsoft Azure Australian-based data centre (Australia Southeast). To retrieve any meaningful information, they would have to breach both the data centre and our internal data security controls. Data centre certificates: ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP and ENS.
Data backups
All data and meta-data points are backed up at a secondary database and file storage within Azure up to 8 times per 24 hours. Documents are also backed up in 'deep rest' data storage for at least 18 months, even after deletion.
Access control
Access control within Inherit Australia account ensures information is only available to authorised users:
-
Client information is contained within a client account and family groups. It means client data can be shared with other authorised clients within a group to prevent accidental data leaks within your client base.
-
Advisers establish access to new clients/users by creating a new user at Inherit Australia User dataset or gaining access with MFA to existing client accounts. For example, suppose an adviser requires access to an existing client account. In that case, the client must click a link in an email or SMS, Login into Inherit Australia account, and confirm access.
-
Lawyers gain access to client accounts only via accepted referral by Advisers or Individual clients (for client-driven estate plans).
-
Team members of an existing lawyer adviser may gain access to specific clients based on practice permission and internal structure (for example, junior advisers for data collections). Team user access is setup at a practice level.
Audit trail
All interactions of clients, advisers and lawyers are recorded in a granular level audit trail. This tool can be used to track down 'human-factored' data breaches. This tool is available to primary practice account holders and Inherit Australia support team to uncover data breaches.
Password strength
Inherit Australia enforce high password strength for all users. The minimal requirements for passwords are:
-
8 characters
-
Upper-case and Lower-case letters
-
Must contain a number or special character
-
Must be a non-common password (Checked with 500,000 common web passwords)
Multi-factor authentication (mfa)
Multi-factor authentication (MFA) adds an additional check authenticity of users. It combines something you know (your username and password) with something you have (an authentication app on your smartphone or tablet). This second layer of security is designed to prevent unauthorised access to accounts even when a user password has been breached.
All Inherit Australia users are required to setup MFA with one of the following methods:
-
Google Authenticator App
-
A mobile phone capable of receiving SMS
-
A secondary email is used to send a one-time code.
Inherit Australia also use thumbprint technology to detect suspicious user behaviour such as multiple session from different devices or jurisdictions. In those cases, users will be required to authenticate with MFA even if a 30days rotation has been set.
Your responsibility
Data security is a joint effort between Inherit Australia, clients, referral partners and your team users. We continually invest to improve our data security; however hackers are always looking for the weak link in the chain. There are some steps you can take to improve security.
Tips for local data security:
-
Always sign out from Inherit Australia when not in use or at the end of the day.
-
Do not use a password also used in another site.
-
Use dedicated password storage applications, such as Last Pass, Keeper or Password Boss. Do not store passwords in a browser's in-built system.
-
Change your password regularly.
-
Ensure your internal systems, such as operating systems and virus and spyware software, are up to date.
-
Avoid downloading unauthorised applications.
-
Clean-up your downloads and recycle bin folders on a regular basis.
-
Contact us if an MFA device has been lost or stolen.