Managed Data and Security
We understand that protecting our customer data is a very important responsibility. Thousands of Agencies trust Managed with their data, and we’re continually improving our security processes.
All of your data is stored within Amazon AWS servers. You can view AWS security information here.
We use a High Availability (HA) cluster, which spans three different Availability Zones in the AP-Southeast-2-A,B,C, which are the AWS Sydney data centres. This means that if one AZ becomes unavailable, traffic is automatically routed to the available zones with no interruption.
Our data storage is also HA, and is via a managed Amazon RDS database service. This means there isn’t a “single” database (which could fail), but rather the workload is spread across many. We use AWS Simple Storage (S3) for storing static files such as property images.
Our web application is accessed only via HTTPS. Each connection that your browser or phone is making is encrypted and authenticated with an SSL security token.
All passwords are also encrypted, and can only be reset rather than retrieved. Our staff are required to use 2FA where available, and they use a password vault management tool.
Our application does not store any credit card or billing information. We process payments using Assembly Payments, which is a secure, PCI 1 compliant company backed by Westpac.
You can view Assembly’s information here:
When a user enters billing information such as Bank account or Credit Card details, this information is pushed directly to Assembly. Assembly then creates a unique token ID, which the Managed App then uses to conduct transactions. At no point do we store or have access to the bank or credit card details.
Secure data protection
Our internal Data Protection policy states that customer data is never stored on our local or production servers. Production and Staging credentials are separated between the Support and Engineering teams. Both are Support and Engineering teams are locally based in Sydney. Our Engineers are not able to access Production Data or other sensitive information without making a specific request.
GDPR and Privacy
We know that the customer data we store is important and we’re responsible for handling this properly. Our engineering staff have regular Privacy training, and we have documented procedures for handling and processing sensitive information.
The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018. Managed App is an Australian business servicing Australian customers, so while GDPR doesn’t specifically apply, the GDPR and the Australian Privacy Act 1988 share many common requirements, including:
- implement a privacy by design approach to compliance
- be able to demonstrate compliance with privacy principles and obligations
- adopt transparent information handling practices
There are also some notable differences, including certain rights of individuals which do not have an equivalent right under the Privacy Act. More information on the differences can be found here.