Your Privacy and Data Security Matters
Your personal health, medical and emergency contact details are sensitive and private information, and we’ll keep it that way. Operoo is a secure site, designed with privacy and security as our highest priorities. We apply stringent processes to keep your data safe throughout design, development, testing and day to day operations.
- The Company will NEVER share or rent your data to anyone without your consent.
Account and Password Protection
- Your account is always password (or fingerprint) protected, and we utilize strong password policy and non-reversible hashing for storage of the password.
- You have the additional security option to enable Two-Step Verification, (also know as Two-Factor Authentication) which prevents anyone from accessing your account without possessing your physical device.
- The security sub-layer is capable of detecting any anomaly within the system to proactively prevent malicious activities and alert our security staff.
- Operoo will always notify you by email when your account has been accessed from a new device.
- Operoo uses military level security – the highest standards in Internet and data security.
- Data is always encrypted at rest and in transit.
- Our security layers include strong cryptographic implementations (such as 256 bit encryption, 256 bit data encrypted TLS systems using Advanced Encryption Standards) and defensive-in-depth network protection (with multiple firewalls and active monitoring systems).
- Operoo has an ongoing security and compliance program that includes penetration testing, vulnerability testing and code reviews by independent third parties.
- Operoo’s network is designed with security in mind. This includes intrusion detection firewalls and monitoring.
- The Company regularly conducts penetration and threat modelling to ensure our network is properly secure and up-to-date.
Security monitoring and optimisation
- The Company actively monitors to detect intrusions into our system, and hires security experts to conduct periodic security reviews and vulnerability assessments.
- The Company continuously optimises its security infrastructure, both within the application code and across our network/system platform.
Mobile Data Security
- The Operoo App is registered on a device using your unique username and password. Second Factor code/fingerprint is then required to access data.
- Data is only accessible by authorised users with that unique username and password.
- All data transfer is handled over SSL secure connections. Operoo uses an “Extended Validation” SSL site certificate so that users can be sure they are talking to Operoo when accessing the data.
- When the Operoo App is accessed on a mobile device or tablet, the data is stored in an encrypted format to give authorised users access to emergency information, even when they are offline or outside mobile range.
- Data that is stored on your device automatically expires and is deleted from local storage after a set period of time, unless authorized users re-synchronise with the server.
- Data that is no longer authorised is automatically deleted from local storage.
Infrastructure and Hosting
- Operoo’s physical infrastructure is hosted and managed within Amazon’s secure data centers, utilising Amazon Web Services (AWS) technology.
- AWS data centers are state of the art, utilising innovative architecture and engineering approaches. AWS provides a highly reliable, scalable and secure infrastructure platform that powers hundreds of thousands of businesses in 190 countries across the world.
- Your data is stored on servers in your region, and will never be stored outside of that region:
- Asia Pacific User data is stored in Australia (Sydney)
- European User data is stored in Ireland (Dublin)
- United States User data is stored in the United States (California)
- The Company backs up your data in the same region every hour.
Disaster Recovery and Business Continuity
- Operoo’s physical infrastructure is hosted and managed within Amazon’s secure data centers, utilising the redundant services of Amazon AWS. AWS provides a highly reliable, scalable and secure infrastructure platform designed to tolerate system or hardware failures with minimal impact.
- The Operoo System consists of various service components that are all load balanced across multiple redundant instances. This ensures that any single hardware or data centre failure does not impact the delivery of our services. In addition, by hosting our servers in the AWS data centers, we take advantage of Amazon’s redundant power, environment and internet connectivity systems.
- Our databases are provisioned using Amazon’s RDS service which gives us the ability to do point-in-time recovery. The Company periodically tests its Disaster Recovery Plan by practicing starting new instances and restoring databases within the AWS infrastructure. Any hidden unknown dependencies during these tests are identified and logged for remediation.
- The Company’s business continuity plan also takes into account the continued operation of the head office in Melbourne Australia and the availability and backup of key staff required for continued delivery of our service.
Security and Privacy Compliance
- AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals including ISO 27001, FedRAMP, DoD CSM, and PCI DSS.
- AWS is fully compliant with applicable EU data protection laws, and the AWS Data Processing Agreement incorporates the Article 29 Working Party Model Clauses. This means that users wishing to transfer personal data from the European Economic Area (EEA) to other countries can do so knowing that their content in AWS will be given the same high level of protection it receives in the EEA.
- The Company has implemented a robust information security and privacy program in accordance with relevant industry standards and required regulations, including HIPAA and FERPA. As part of this program, a) all staff must complete Information Security Training as part of their on-boarding and then once a year thereafter, and, b) all staff must demonstrate an understanding of the regulations surrounding the handling of sensitive data.
- In the event of a suspected data breach, the Company has a Critical Incident Response Team (which includes our Data Protection Officer, Developers, and Senior Management), and a Data Breach Policy Notification and Incident Response Plan that is reviewed annually.
- The Company is a signatory of the Student Privacy Pledge, which is a commitment to safeguard student privacy regarding the collection, maintenance, and use of student personal information.