Formbay Solar | Security

Security. Built in.

Security is often a deciding factor in the success or failure of companies and only a single breach can result in an irrecoverable loss of public trust. As such security is of the utmost importance at Formbay and we strive constantly to protect our customers data and our IP moving within our infrastructure and at rest. That is why we are a trusted industry partner of federal government departments and large corporate enterprises

This document provides a high level overview of some of the key security terms and domains which we use to protect the security of our customers data, our data and our own IP and reputation

Secure, redundant, state-of-the-art cloud infrastructure

Formbay applications and data are hosted on AWS a secure, redundant, state-of-the-art cloud infrastructure located at geographically distributed locations within Australia in Sydney based instances.

Hosting locations are carefully selected to mitigate environmental risks, such as flooding, extreme weather, and seismic activity.

Every server in each Formbay data centre is protected with a constantly updated, industry-leading firewall.

Our cloud service providers hold industry certifications that include SOC1 Type II, SOC2 Type II, ISO27001:2013, Cloud Security Alliance STAR, among others.

Application availability, back up and data recovery

High data availability & easy backup and recovery

Our data is stored on Amazon S3, a highly durable storage infrastructure designed for mission-critical and primary data storage.
Objects are redundantly stored on multiple devices across multiple facilities in an

Amazon S3 Region.

This is designed to provide 99.99% durability and 99.99% availability of objects over a given year.

Our core applications are deployed to an N+1 UPS standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Pro-active intrusion detection & prevention

Proactive intrusion monitoring and prevention

Formbay implements network and ISP grade firewalls to provide IP filtering and intrusion detection protection.
All activity on the platform level is tracked and securely recorded using AWS CloudTrail audit logging. This gives us

visibility into user and resource activity by recording AWS Management Console actions and API calls. We can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

We use AWS Cloudfront which come with AWS DDos protection service AWS Shield, giving us the possibility to block attackers based on geographic source.

AWS Shield provides always-on detection and automatic inline mitigations that minimise application downtime and latency.

Segmented application architecture & controlled access

Access to system credentials is regulated and controlled by Identity and Access Management (IAM) policies. These policies use granular permissions to allow each application access to the specific credentials it needs to perform it's tasks.

The platform providing our encryption service is both highly available and durable. No one, including Formbay staff or AWS employees, can retrieve the plaintext encryption keys from the KMS service.

End-to-end encryption

All Formbay customer data and metadata is encrypted at rest using an industry-standard AES-256 encryption algorithm. Encryption and decryption work in the background with minimal latency, and are transparent to users, applications, and

services.

All server file systems, object stores and databases are encrypted in this way. System credentials and configuration data are securely separated from the code using the AWS SSM Parameter Store. Encryption keys are managed securely using a the AWS Key Management Service (KMS). The KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect the keys.

Inside the Formbay application we maintain audit records with AWS CloudTrail to provide secure auditable logs of who used which keys, on which resources, and when.

Regular third-party audits & penetration tests

Formbay submits to regular third-party audits of our customer data handling, processing and storage systems. These help to ensure we exceed all statutory and regulatory requirements for our data handling and quality management systems

and processes.

We also engage in regular third-party penetration testing of our infrastructure and applications. These help us to proactively determine weaknesses in our IT systems and in our people and processes in order to constantly improve our security.

Internal Network & building security

Formbay uses a third-party cyber security expert to secure all office hardware security, including our office firewalls, malware detection on laptops and servers. Formbay offices are secured with 24/7 security cameras, building security,

intercoms systems and alarms.

No un-authorised personel are allowed entry into our offices, with all staff issued security tags to gain entry.

Security is everyone's responsibilty

We practice the Principle of least privilege (POLP) which is limiting access rights for users to the bare minimum permissions they need to perform their work. We also believe "Security is everyone's responsibility" and not just the function of

the security team.

Staff are provided training in secure operations and educated on our Security Policy.

ISO Certification

Formbay is an ISO 9001:2015 and ISO 27001:2013 certified company. We focus on continuous improvement of our products and services to consistently meet our customer's expectations while ensuring a high level of data protection

using best-known and most widely-used quality and information security standards.

24/7
Security operations
256-bit
SSL/TLS secured between application
99.99%
Uptime guaranteed