Information governance and security management

Aridhia’s General Counsel acts as our Data Protection Officer and Compliance Officer, ensuring that the company is aligned to all internal and external policies, laws and regulations. The General Counsel is also a member of the company board.

Our Information Security manager is responsible for the day to day operational security, risk management and incident management, reporting into the COO.

Our Security Review Board provides oversight and direction relating to information security across all aspects of the Company.

General Data Protection Regulation

Aridhia achieves compliance with GDPR through the implementation of policies and processes which ensure that:

• Information is processed on a lawful and transparent basis.
• Strong data security is achieved through design.
• Information security governance and accountability within Aridhia is clear.
• Individual privacy rights are respected.

Software Development Lifecycle

In developing the DRE, Aridhia follows the OWASP Top 10 guidelines and uses tools to ensure our software complies with the OWASP best practice framework and that a “security by design” approach is followed.

We have many measures in place to ensure we follow a secure software development process, including:

• Coding controls are implemented.
• Privacy Impact Assessments are conducted.
• Frequent regression tests both automated and manual to ensure any work for new features does not introduce security flaws.
• Separate and secured development and test environments.
• Vulnerability scanning process.
• Regular penetration tests are conducted by independent security companies.

Hosting

Aridhia’s services are hosted within the Microsoft Azure cloud platform in the relevant country/region of your choice. Azure has all relevant information security and cloud certifications, including ISO 27001, ISO 27701 and CSA STAR.

All instances of the Aridhia DRE are deployed for specific customer organisations who may adapt our information governance framework to suit their needs. Aridhia is always the data processor and the customer remains the data controller. Your use of the DRE is also governed by an agreement with that customer organisation.

Access to your data

We will not view your data unless you explicitly instruct us to. You may ask us to resolve a problem you are experiencing with the system, in which case we may need to access your workspace – again we will not do this unless you confirm that you are happy for us to do so.

You might ask us to do some technical work to review your files or you may require professional services from our Enablement team. These use cases may require us to access your data – but it will happen only if you ask us to and we have received authorisation from the appropriate individual and/or committee.

Security Controls

Within the DRE, security controls include:

• All user access is via HTTPS URL protected by a rooted certificate issues by DigCert SHA2 Secure Server CA, utilising sha256RSA signature algorithm with sha256 signature hashing algorithm. Will only utilise TLS 1.2 protocols or above.
• Encryption in transit. All internal network traffic is protected by HTTPS or, TLS 1.2 or above protocols.
• Encryption at rest. By default, Microsoft Azure encrypts data using FIPS 140-2 compliant 256 AES encryption for storage accounts and virtual machine disks.
• Two-factor authentication is required to access DRE services.
• The secure Workspace boundary is created through a virtual network configuration and enforced through a permissions model.
• An Intrusion Detection System and Intrusion Protection System is implemented with security alerts automatically raised to Aridhia’s Service Desk Team.
• Data upload and data extraction is only permitted through an approval process.
• All uploads go through a malware scanning process.
• Full audit reporting of events.

Operational Processes

• OS patching (scheduled and ad hoc in the event of emergency updates).
• Nightly back-ups of the environment.
• All support teams have separate privileged admin accounts and these require 2FA. All support team actions are logged.
• Regular audits of the privileged accounts
• All Aridhia employees who have access to the operational environment go through a criminal record check.
• Mandatory security training at inductions and periodic refresher training for all employees.
• All changes to the platform are subject to change control.
• Incident management and CSIRT processes.
• Monthly audit of key ISO27001 controls.
• Quarterly BCP/DR exercises.