Data Security

Application Development

All software modifications follow a change management policy to guarantee proper authorization prior to integration into the production environment. Our development team follows secure coding guidelines, and we manually examine all code alterations for potential security or performance concerns. Our security architecture adheres to OWASP standards to counteract threats such as SQL injection, cross-site scripting, and DOS attacks.

We employ numerous methods at the application and architecture level to protect data security and to prevent malicious access. Methods such as minimizing attack surfaces by design, employing input validation, output encoding, Content Security Policy (CSP).

Data Isolation

We operate a multi-tenant SaaS application. Multi-tenancy allows multiple customers to use a single instance of an application layer while safeguarding the isolation of each customer tenant's application data. We have security protocols in place to guarantee the logical separation of tenants, ensuring that the actions of one customer cannot compromise the data or services of others. This logical segregation provides the scale and economic benefits of multi-tenant services while rigorously preventing customers from accessing one another’s data.

Your data belongs to you, not GlobalPatron. We prioritize your privacy, refraining from sharing any data with third parties without your explicit consent. Customers on the Enterprise plan can also opt to host their tenant on a dedicated, single-tenant data server and domain, providing an additional layer of both physical and logical segregation for enterprise use-cases.

Data Encryption

Data at Rest: All data in GlobalPatron is encrypted at rest using 256-bit Advanced Encryption Standard (AES) which is one of the strongest block ciphers available, and is FIPS 140-2 compliant. Encryption keys are managed and regularly rotated.

Data in Transit: Data transmitted to our servers is encrypted in transit using Transport Layer Security (TLS 1.2/1.3). We have enabled the HTTP Strict Transport Security header (HSTS) to all web connections.

Data for Test Environments

Production data is never used in testing and development environments. Test data is carefully selected to ensure no personally identifiable information is used.

Data Retention & Disposal

We store your data in your account for the duration of your use of our services. Customers can opt to delete individual form responses or conduct bulk deletions through either the admin interface or the GlobalPatron API. Upon the termination of your account, your data will be eliminated from the live production database, and any file attachments uploaded will be removed within 30 days. Encrypted backups will retain your data until they surpass the 30-day backup retention window, at which point they will be destroyed in accordance with our data retention policy.

GlobalPatron provides multiple options for exporting data:

  • Via our user interface – Data can be exported directly into CSV (comma-separated values) files, or Excel files with one click.
  • Via API calls - Data can be exported via API calls at any time
  • Via 3rd party platforms - Copies of all data can be sent in realtime to 3rd party systems on creation via Webhooks

Infrastructure Security

Data Centres

GlobalPatron is hosted on Microsoft Azure infrastructure located in Australia (except for enterprise customers who have specifically requested local data residency in their own respective countries). We made a strategic choice to use the world’s leading cloud IT infrastructure provider that provides a robust, high-performing, and secure infrastructure set to meet the needs of our users. Microsoft Azure maintains numerous compliance certifications, such as ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS.

Network Security

We employ several network security and monitoring techniques to achieve multiple layers of protection and defence. We have firewalls and configurations in place to protect our platform from unauthorised access and malicious traffic. Our systems are split into separate networks to protect sensitive data. Testing and development systems are hosted in a separate network from production infrastructure. At the application layer, we utilise a WAF which operates using both whitelist and blacklist rules.

System Redundancy

Our platform is designed to be both scalable and redundant in both data and application layers. In the event of a server failure, another machine will be ready to take over immediately, allowing users to continue working as usual.

Operational Security

Vulnerability management

We conduct regular manual and automated vulnerability scans to identify weaknesses in 3rd party libraries, frameworks and protocols used by our platform.

Malware & Spam Prevention

We use DMARC as a means to thwart spam and authenticate the legitimacy of messages, as well as 3rd party security tools to prevent malware and spam via email. Additionally, we employ proprietary detection services and algorithms to identify misuse of GlobalPatron services, such as phishing and spam activities. We actively monitor signals from the software and address any abuse complaints.

Backup

We operate a comprehensive backup program where our backup measures are designed in line with system recovery requirements. Data is replicated across regions within the same country to protect from localized disasters, and user data is restorable for up to 30 days to allow recovery in the event of deletion or corrupton. Point in time recovery within the 30 day backup period is supported.

Data Privacy

We recognize the significance of privacy to you, and we share that value. Upholding the utmost regard for your personal information, we are dedicated to safeguarding it while delivering our products and services. GlobalPatron is founded and operated in Australia, assuring you that your data and privacy remain securely onshore, with a firm commitment against any sale or sharing. This same commitment also applies to our international clients, who have the option of requesting local data residency in their own respective countries.

Our privacy policy has been developed in line with the Australian Privacy Principles, Privacy Act, and EU’s General Data Protection Regulations (GDPR).