Security Measures

Last Updated 5 September 2024

This document describes the organisation and technical measures implemented by Edexia Pty Ltd (Edexia) in order to protect personal data and ensure confidentiality, integrity and availability for the Edexia Software.

This document covers only the measures implemented by Edexia, where data is handled by sub-contractors or subprocessors we have separate agreements in place. Please refer to the Subprocessor List for detailed information about these providers and their terms of service.

From time to time Edexia may change these measures. This may mean that we replace existing measures with new measures or implement entirely new measures. The intent of these changes will never degrade overall security, but improve or evolve protocols to deal with new or emerging threats, changes to laws or regulations or adopting of new security standards.

Within this document, the following definitions apply:

  • “Customer” means any Licensee of the Edexia Software.
  • “Edexia Software” means the Edexia software products licensed by Edexia to the Customer pursuant to a Service Agreement.
  • “Personal Data” means any information provided or submitted by the Customer or Customer’s authorised users in connection with use of the Edexia Software, in each case relating to any identified or identifiable natural person, that Edexia processes on behalf of Customer.
  • “Personnel” all Edexia employees (permanent, contract, casual, full-time and part-time), Edexia’s contractors and any other people or organisations working for Edexia or on our behalf.

De-identification Process

Edexia employs an advanced approach to protect sensitive information through a robust de-identification process. This process is designed to safeguard data privacy while enabling the use of the latest AI technologies.

Measures include:

  • Self-Hosted Foundational Model:
    • Edexia has developed its own foundational model specifically for de-identifying sensitive data.
    • This model is self-hosted and operates exclusively within our secure servers located in Australia through AWS.
  • Pre-Processing of Sensitive Data:
    • All sensitive information is processed and de-identified by our foundational model before any interaction with external AI services such as OpenAI.
    • This ensures that no identifiable information leaves Australian servers.
  • Safety Guardrails:
    • The de-identification process incorporates robust safety guardrails to prevent accidental exposure of sensitive information.
  • Data Privacy:
    • Customer data is not used to train underlying foundation models.
    • Customised models are accessed only by customers of Edexia, ensuring data privacy.
  • Encryption:
    • All data is encrypted at rest using AWS Key Management Service (KMS).
    • Data in transit is encrypted using TLS 1.2 (minimum).
  • Compliance:
    • Supports compliance standards including ISO, SOC, and CSA STAR Level 2.

Physical Security

To protect your data from physical access by unauthorised personnel. These measures cover data stored by Edexia and do not cover where the customer is self-hosting their own data. 

Measures include:

  • Edexia utilises Google data centres to store customer data, further information regarding the physical protections provided by Google cloud.
  • Your data is hosted in the Google cloud’s Asia Pacific (Sydney) Region.
  • Edexia ensures all data is encrypted at rest within Google cloud to ensure that physical access would not allow access to the data.

System Updates

To protect our systems from exploitation due to publicly known vulnerabilities we will ensure all our systems are running the latest security updates.

Measures Include:

  • Ensuring that all operating systems within the organisation are currently supported with security releases
  • We ensure that appropriate Personnel receive alerts and notifications from system software vendors and other sources of security advisories and install system software patches regularly and efficiently.
  • Review product dependencies every 6 months to ensure we are running the highest compatible versions and make appropriate changes to ensure we remain on supported versions.
  • We ensure all Personnel are running up to date software on their devices
  • We ensure all Personnel are running up to date anti-malware software on their devices.

Data Access

In order to provide our customers with high quality support services, we may require access to customer data in order to help diagnose issues, provide training services and migrate data. We recognise that with this access we have a great deal of responsibility to protect the data that customers have entrusted to us.

Measures include:

  • Edexia has a policy that data will only be accessed on as needed basis, it will never be accessed for any other purposes other than to provide our services as requested.
  • Edexia has a policy that customer data will never be exfiltrated or moved from its primary location unless explicitly requested or authorised by the customer.
  • Our Personnel will never share Personal Data with unauthorised persons, only nominated people within your organisation can access Edexia support, and communicate with our Personnel.
  • Edexia may collect usage data regarding the system, but this data will always be anonymised and will have never include any identifiable information

Data Transmission

When data is being transmitted across networks, specifically public networks like the internet, it is at risk of being intercepted, manipulated or stolen during transfer.

Measures include:

  • When transferring data over the internet we will utilise HTTPS TLS 1.2+ for web traffic and SSHv2 for all other traffic
  • If possible we will avoid sharing secrets and certificates. Where it is not possible secrets will be shared via one-time use only links.

Development Process

Edexia implements administrative and technical controls to ensure that all code developed is designed, architected and delivered in the most secure ways possible.

Measures Include:

  • Edexia has a central repository of code that is only accessible to authorised Personnel. All code contributions to this repository must be reviewed by senior development engineers and pass multiple automated checks before it is authorised to be part of a release.
  • Edexia has automatic scanning of code dependencies and supply chain exploits and regularly updates packages.
  • The release process is fully automated and must pass a series of automated testing suites before passing. All releases require the supervision and approval of the CTO. Releases must first be delivered to staging environments and tested thoroughly before they can be deployed to production.

Availability and Data Sovereignty

Edexia takes a number of steps to ensure your data remains protected from accidental destruction or loss. Edexia ensures that you have access to your data and that it can be exfiltrated from our systems if required.

Measures include:

  • The Personal Data you provide to Edexia remains your property, we do not claim ownership or control over your data. You are responsible for the data that you store in our systems, you must ensure that it does not infringe on the rights or privacy of any other parties, and it is held in accordance with relevant privacy legislation.
  • Edexia has business continuity plans in place to manage the risk of key Personnel and infrastructure incidents.
  • Edexia has made commitments to comply with all laws applicable to the provision of the services by us including applicable privacy laws

Data Separation

Personal Data from one Customer is always logically separated from that of other Customers, as well as users managed by the customer (such as students).

Measures include:

  • File storage is logically separated for each customer.
  • Each Customer has their own unique secrets and credentials to ensure that their access cannot be used to access the database or files of other customers.
  • We use cloud-based data storage solutions for managing PDF documents uploaded by users to our services. 
  • These documents are stored on Google Cloud, which helps us organise data in a structured manner using parent folders. 
  • File names are solely used for storage purposes and are not processed or utilised in any other way.
  • Access to these documents is restricted to ensure that users can only access their own uploaded data. 
  • Users have the capability to safely and completely delete their data.
  • Data fetching is conducted by the parent folder rather than by file name, which enhances data retrieval processes. 
  • The AI systems involved in managing these documents do not have knowledge of the file names; they only process the contents within the files, and this content is de-identified beforehand. 
  • Each Customer has their own unique secrets and credentials to ensure that their access cannot be used to access the database or files of other customers.
  • The infrastructure logs, metrics and usage data is centralised for the purposes of monitoring and observation. We take all reasonable precautions to anonymise this data where possible, however it may from time to time contain Personal Data for the purposes of auditing and identification of system faults or errors.
  • If we provide access to data for the purposes of auditing to Customers we will ensure data provided is related to the requesting customer only.

Incident Management

In the event of any security breach of Personal Data, the effect of the breach is minimised and the Customer is promptly informed.

Measures Include:

  • Edexia maintains a data breach response plan and a process for how to mitigate various types of incidents.
  • The usual notification periods for updates will be waived in the event of a serious security incident and updates may be deployed immediately to mitigate any further security incidents.
  • Edexia maintains detailed audit logs and ensures time is synchronised across systems to facilitate forensic examination.
  • In the event of a Data Breach where there is an expectation of harm, Edexia will notify affected Customers without undue delay after becoming aware of the Data Breach. This notification will occur via email, to the registered technical and key contacts.
  • When communicating a Data Breach we will include details of who is impacted, what is the potential impact and any steps we have taken to prevent further harm.
  • Where applicable Edexiawill notify the relevant regulatory authorities to report the breach.

Company
HomeAboutPricingBlogContact
Learn More
NewsTutorialsLegalStatusPricingBlogContact
Follow Us
LinkedinTwitter (x)FacebookInstagramPinterest

© 2024 Edexia Pty Ltd. All rights reserved.

Privacy PolicyGeneral Terms