Version 2.9 - Effective from May 2022

Harvest Digital Planning (Harvest) understands the importance of an effective information security management system to protect the confidentiality, integrity and availability of all information assets from potential threats.

Our strong commitment to security is reflected in the implementation of our security policies, processes, controls and alignment and compliance with international standards.

The Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

Security Policies

Harvest has established an information security policy foundation, as part of its Information Security Management System (ISMS) to provide clear guidance for management and staff in order to protect the confidentiality, integrity, and availability of customer data. Harvest maintains, regularly reviews and updates its information security policies on a regular basis.

Compliance

Information Security

Harvest has achieved ISO 27001 certification. The certification process involves an extensive independent, expert assessment of an international set of standards for developing an Information Security Management System (ISMS) to ensure that our systems effectively identify and manage security risks with the entire organisation.

A copy of the ISO 27001 certificate can be provided by Harvest upon request.

Privacy

Harvest respects the rights and privacy of all individuals and is committed to protecting the personal information it holds and complying with various Privacy Acts and Principles including Europe’s General Data Protection Regulation (GDPR).

More information: https://the-hive.com.au/privacy-policy

Technical review

Harvest undertakes annual independent penetration testing of its product, services and infrastructure. The last penetration test was performed in November 2021.

In addition, security and penetration testing has been performed on the service, organized by the customer themselves. Several customers have undertaken a security audit and penetration tests of the service within the last 24 months.

Each customer has various standards with regards to the frequency of security and vulnerability testing. Some customers test annually, others test more frequently, such as monthly. Additionally, we are often subject to penetration tests before sites are launched. Overall, the application would be subject to many security and vulnerability tests over the course of a year, and any remediation work entailed would be applied to all customer sites and infrastructure.

Data Hosting and Physical Security

Harvest utilises the public cloud to develop, build and deploy all its infrastructure and services. Specifically, Harvest utilises Amazon Web Services (AWS) for all its cloud hosting and server infrastructure.

All data, including backups, are hosted within the customers federal jurisdiction, or closest acceptable location. For instance, Australian and New Zealand customers are hosted within a data centre in Sydney, NSW, Australia. USA customers are hosted within a data centre in Oregon, USA. Canadian customers are hosted within a data centre in Montreal, Québec, Canada. European customers are hosted within a data centre in Ireland.

The AWS Data Centres that host Harvest's customer information assets are housed in secure nondescript facilities and physical access is strictly controlled both at the perimeter and at the building ingress points.

Personnel Security

All Harvest personnel are required to complete a Police Check and undergo other identity and background screening checks at the time of hire. In addition, Harvest communicates its information security policies and conducts specific security training to all personnel.

All new personnel are required to acknowledge and sign non-disclosure and confidentiality clauses as part of their employment agreements.

Asset Management

Harvest information assets are managed in accordance with its information security and asset management policies. which includes the identification, classification, labeling, handling, retention, and disposal of information and assets.

Access Control

Administration

Harvest has established an Access Control Policy and procedures, which outlines the general principles of access control, including how personnel should be provided access to Harvest premises, applications, and networks and infrastructure.

Harvest grants access initially with least privilege rules, reviews permissions regularly, and revokes access immediately after employee termination.

Harvest has established a Password Management Policy, which outlines how passwords should be selected by personnel and managed within Harvest applications.

Harvest personnel access to The HiVE requires multi-factor authentication.

Server access

The HiVE server infrastructure is protected by network security and solutions (AWS VPC controls) to secure data at rest. All production servers are in a private subnet -there is no ability to connect to the servers directly.

A select number of authorised staff have access to manage infrastructure and services as well as create, modify and delete data. Access and authentication to Harvest servers requires the use of a valid SSH key via a jump host.

User and role based access

Only privileged access is granted to personal or submission data through the platform. Privileged access is restricted and controlled through role-based access and user group permissions.

Each group and role have different permissions and access to different features of the platform. Additionally, access control within The HiVE can be customised for each user role if required.

User passwords

The HiVE provides the ability to establish minimum complex password requirements. Complex passwords can include several requirements such as:

  • Minimum length
  • Maximum length
  • Uppercase characters
  • Lowercase characters
  • Numbers
  • Special Characters

All passwords stored in the database are hashed.

Managing user access

Site Administrator accounts within The HiVE can manage all user accounts including adding new users and deactivating old user accounts. Site Administrators are responsible for maintaining and reviewing all user accounts and access.

Encryption

Data in-transit

The HiVE uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data, including user submissions and reporting. Internal API requests are required to pass through a secure gateway and are validated via an encrypted JSON Web Token (JWT).

Data at-rest

The HiVE uses Amazon’s Aurora Cloud Database Service for its cloud database storage. Each Aurora instance has encryption enabled meaning data is encrypted at rest, including the underlying storage for a database (DB) instance, its automated backups, read replicas, and snapshots. This capability uses the open standard

AES-256 encryption algorithm to encrypt the data.

Software Development

Harvest has established a Secure Development Policy which outlines how development and operational activities should be managed and conducted in a secure manner.

Development, testing, and production environments are separated. Harvest uses a strict development workflow to test all new releases. All application changes must be peer reviewed, tested and accepted prior to deployment into the production environment.

All Harvest source code is stored within a dedicated and secure code repository.

Backup and Recovery

Harvest’s databases are protected by backups of the database and files occurring every 24 hours. This service is intended for the purposes of Disaster Recovery relating to data corruption.

Backups of the data are stored in the same region as the customer's production data. Harvest uses AWS S3 for data and backups, and for redundancy purposes S3 objects are stored across multiple devices spanning a minimum of three Availability Zones.

Furthermore, Harvest maintains a formal Business Continuity & Disaster Recovery Plan (BCP). The BCP is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.

Data restoration is only possible from the time of the nearest daily recovery point closest to the corrupting incident.

Logging, Monitoring and Availability

Logging

The HiVE stores a range of logs at both the infrastructure and application levels.

Infrastructure logs are sent to and ingested by a centrally managed application and are kept on a 90-day rolling cycle. Access to the application logs is controlled and limited to authorised staff who have a valid login.

The HiVE application logs a number of events related to the following key functions:

  • User events
  • Page events
  • Block (content editing) events

Application event logs are kept indefinitely, unless the service requires historic event logs to be archived due to size concerns. By default, application events can only be accessed by authorised Harvest administrators via the dashboard and downloaded via csv.

Harvest will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their site and data.

Monitoring

The Server infrastructure, application and automation scripts are continually monitored, and internal staff are notified via email and instant messaging of any exceptions or downtime.

Availability

Harvest will use commercially reasonable efforts to provide a Service that has a Monthly Uptime Percentage of at least 99.95%, unless otherwise noted within the terms of the contract agreement. Ongoing monitoring of the Service is undertaken by Harvest to calculate uptime however the uptime percentage does not include any time for scheduled maintenance.

Information Security Incident Management

Harvest has established an Information Security Incident Management Policy which outlines Harvest’s methodology for identifying, investigating, resolving and reviewing all types of information security incidents.

If a security incident has occurred or is suspected we would follow the following process:

1. Contain - Our immediate goal, once a security incident has been discovered, would be to immediately take action to limit the incident or breach.

2. Assess - We would gather and evaluate as much information about the incident or data breach as possible. This would include:

a. A determination of the impact and number of affected users

b. the types of personal information involved in the data breach

c. the circumstances of the data breach, including its cause and extent

d. the nature of the harm to affected individuals, and if this harm can be removed through remedial action

3. Notify - We would notify the customer as soon as the incident has been contained and assessed. If the security incident was ongoing, or the assessment was taking longer than expected we would provide the customer continual updates as to the status of the incident.

4. Review - We would undertake a review of the incident, to better understand its root cause and determine methods for preventing similar incidents in the future.

5. Incident Management Report - Lastly, a report would be supplied to the customer to formally document and outline the cause of the incident, the duration, impact, resolution and future prevention methods.

Additional information

For additional information regarding security and privacy please refer to the Terms of Service provided to each customer or contact Harvest directly to discuss.