Solar Workplace is a framework that allows clients to have their own hosted Software as a Service (SaaS) product platform and has been designed with information security as the highest priority. The very nature of the modern network architecture that we use is designed to be robust and secure as a web host.
This policy outlines the specific application security that is built into the Solar Workplace product.
Solar Workplace sites and applications are hosted with our Infrastructure Partner vBridge – specialist providers of high security & performance & hosted compute infrastructure, based in New Zealand.
vBridge recognise the importance of data integrity & security and with this in mind have adopted a multi-node, multi-datacentre approach. All vBridge staff have passed the Ministry of Justice vetting process and have signed a confidentiality agreement.
The vBridge platform has been designed with a minimum of N+1 resiliency across all components. The hosting platform provides separation of all customers’ data and network traffic. vBridge control physical security and stability using Tier 3 and Tier 2+ New Zealand Department of Internal Affairs approved Datacentres. These provide robust entry and access control along with high levels of physical protection against unplanned event
vBridge is an ISO27001 certified organisation. This standard is widely recognised as the gold standard for information security. Their certification is maintained through ongoing auditing by an external ISO accredited provider along with their own regular internal audit processes.
vBridge maintains an Information Classification Matrix along with a Classified Information Handling Policy. All information stored by customers has a RESTRICTED classification.
vBridge Firewall as a Service (FWaaS) is a next generation firewall (NGFW) service enabling organisations to achieve best practice network security. This service is delivered from N+1 Fortigate Firewall Clusters. These next generation firewalls provide Full L4 to L7 configurable security policies along with industry leading IPS, SSL inspection and advanced threat protection.
Information is routinely retained in the format of Database Backups.
A full backup is taken daily, with incremental backups taking place hourly through the working day.
Backup Databases are stored on a secure server distinct from the Production (“Live”) Server, with periodic transport to “off-site” Data Centres to aid in the event of Disaster Recovery. Backups are also routinely restored and tested to ensure a robust recovery plan is in place.
Backup Type |
Retention Period |
Daily – Full, taken every morning |
2 Days |
Differential – Hourly between 6am to 6pm NZST, 2 hourly outside of this time |
2 Days |
Monthly – Full, taken 1am on the 1st of each month |
45 Days |
Weekly – Full, taken on Sunday Night |
14 Days |
Schema |
90 Days |
Folders (e.g. FTP, PS Scripts, Website Files) |
2 Days |
Notes:
Differential – this saves the changes between the previous snapshot and the current state. This means that over the course of any given day we can roll-back to any given point within an hourly timeframe. The net effect of this is that the amount of potentially lost data is a maximum of 1 hr should a restore be necessary.
Folders – This refers to all a client’s individual files that make up their own Solar Workplace site – e.g. interfaces, file uploads, ftp data.
VM Backup – In addition to data and website backups, out entire server infrastructure is also separately backed up in event of any need for disaster recovery (e.g. Earthquakes). This gives us an extra level of protection and the resulting tapes are stored in a vBridge offsite facility but still within New Zealand.
The application and the web server technology have been specifically configured and designed to withstand the most prominent forms of attack. These include:
All Brighter Days staff are recruited via trusted partners and services, including direct referrals.
Background checks are performed on all staff validating identity, references, experience, and education. Additionally, and where legally permissible, this also includes police background checks.
As part of the on-boarding process, all staff are required to read and acknowledge understanding and adherence to internal policies and standards.
All staff are subject to a Terms of Employment contract, that clearly lays out requirements and expectations around privacy and confidentiality terms.
As part of routine maintenance, members of the Brighter Days teams may directly access the production (“Live”) server to perform tasks including, but not limited to:
No direct data access that might expose personal information is undertaken at any point during the above tasks.
On occasions – and at the client’s request – data is required to be transferred between the client and the Solar Workplace servers, typically during the initial project phase (e.g., loading of employee profiles).
All data transfers take place over secure FTPS channel, with access permissions routinely reviewed.
Client-facing access to the Solar Workplace web application has multiple layers, ensuring security at multiple points. From the initial login, users will only have access to view, modify, create, or delete what they have been granted access to.
Access to specific process, entity, or user records, can only be applied by designated Super Users.