Data Security FAQ

By /

Semmel treats the protection of customer data as critical. We guarantee the integrity, confidentiality and availability of our customer’s data by implementing best practice security controls and policies.

This article covers:

Who owns my data?

You are the owner of your data and you are ultimately responsible for it. We provide security functionality to protect your data. Semmel manages your data based on our contracted agreements and privacy policy.

Is my data secure?

Semmel takes data security seriously and invests in protecting your data. We put security measures and maintain policies and procedures to comply with required data security standards, and we continue to take all the necessary measures to improve our information security level. Semmel operates from AWS servers which have extensive security certification detailed here. We will never sell, share or otherwise distribute Personally Identifiable Information, except as required of us by law enforcement agencies. We do use internally anonymised data to support our product development and improvement processes and to produce aggregated statistical data benchmarks. Neither of these uses exposes any risk of personal identification.

From owning, storing, transferring, accessing, backing up, monitoring, to testing & reviewing our security procedures, every aspect is covered to meet industry best practice standards.

  • Integrating with best security standards practices in the industry: Semmel invests in protecting your data. We put security measures and maintain policies and procedures in place to comply with required data security standards. We continue to take all the measures needed to improve our information security.
  • Complete control over permission-based segregated data: Using our permissions system only the people you identify have access to the data relevant to them.  Your data is secure in every stage, end-to-end, throughout the journey.

Who can access my data?

Your team – will have access to the data, using Semmel credentials that you will manage, or via SSO (SAML 2.0). You can control who can view, edit, upload and download any information or document based on their configured access.

Our team – authorised Semmel personnel as defined in our security policy can gain access to your data. Any Semmel team member doing so will be performing specific tasks on your request via our support desk.

Is my data backed up?

Our data center back up all the data in Semmel at least once a day. The data is fully restorable for disaster recovery purposes.

Where is my data stored and is it secure?

Semmel’s infrastructure operates from Amazon Web Services (AWS) servers, with the option of storing your data within the Singapore region which has extensive security certification, including ISO 27001 Security Management Controls, ISO 27018 Personal Data Protection, and SOC 1, 2 and 3 amongst many others – see more detailed here. We put security measures and maintain policies and procedures to comply with required data security standards our data centres are in alignment with the Tier III+ guidelines, we continue to take all the necessary measures to improve our information security level.

We encrypt all data in transit and at rest, in all services. We protect these encryption schemes by using AWS managed security such that none of our engineers have access to the private keys. We use AES 256 based encryption keys.

Is the transfer of my data secure?

We always use SSL for all transit of data (including internal inter-service communication), a minimal set of open ports (basically just HTTPS and VPN) and a defence-in-depth strategy where we assume edge facing services could become compromised and that internal services need to be just as hardened as external (we treat everything as if it was on the public internet). 

We limit the duration of Semmel sessions and will automatically log you out after a certain time.

How do you use my data?

We use Anonymised data to support our product development (internal use only) and calculate broad statistical benchmarks (that can in no way identify an individual or Customer). Semmel confirm that all data used will be “Anonymised” for this purpose and therefore cannot be personally identified in any way. We also track customer interactions with our system, this information is useful to understand how effectively certain product features are operating, particular from a User Interface perspective.  These insights are critical to helping us develop the best possible product experience for you, and our approaches are best practice for advanced SAAS developers.

How do you monitor activity in Semmel?

We log web server traffic metadata including source IP, user and URL but without data payload. Changes in our database raise events which are logged. The availability and performance of the application is continuously monitored to ensure extremely high uptime and immediate response to any failure. These logs are only available to senior engineering staff for troubleshooting application issues to protect the privacy of your data.

What type of network security do you have?

Semmel protects your data with a secure network and other multiple security protection and technology measures, including:

Protection

Our network is protected through the use of key AWS security services, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems like database servers are protected in our most trusted zones.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Penetration Tests

In addition to our internal scanning and testing program, each year we perform a broad penetration test across the Semmel Production Networks.

Intrusion Detection and Prevention

Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

DDoS Mitigation

Semmel has designed a multi-layer approach to DDoS mitigation making use of available AWS tools.

Logical Access

Access to the Semmel Production Network is restricted on an explicit need-to-know basis and utilises least privilege.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption in Transit

All communications with the Semmel platform and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Semmel is secure during transit. Additionally, for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. Exceptions for encryption may include any use of third-party apps, integration, or service subscribers may choose to leverage at their own discretion.

Encryption at Rest

Service Data is encrypted at rest in AWS using AES-256 key encryption.

Do you provide availability and continuity?

Redundancy

Semmel employs service clustering and network redundancies to eliminate single points of failure. Our backup regime allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery (DR)

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Security Awareness

Policies

Semmel has a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Semmel information assets.

Training

All employees attend Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email and/or our Employee Handbook.

FAQs from IT Department

If you’re storing multiple tenants within your cloud infrastructure, what security measures prevent one customer accessing another customer’s data?  Is our data segregated from other customers?

Depending on the data model we either are using a schema-level separation or a tenant key to ensure data queries cannot expose cross-tenant data leaks. We treat the code that controls tenant segmentation as critical with extensive code review for any changes. We also ensure development culture is incredibly focused and educated on any potential cross-tenant leakage possibilities.

How are you sure that new code releases do not have negative impacts upon security?

Infrastructure as code and highly automated development pipelines. We only deploy changes to production via automation. This allows us to test and predict the outcome of any change in our staging environment and utilise automatic testing to provide a very fast, very reliable QA and deployment process. This speed and reliability allows us to be aggressive on updating web application dependencies to close vulnerabilities as soon as they are discovered and patched. In the modern web development world this is critical due to the number of third party dependencies that every library requires.

What data loss prevention controls are currently in use?

Data in transit is always encrypted using TLS to prevent any man-in-the-middle attacks. Data at rest, including backups are encrypted at all levels using AES-256 encryption, with keys managed by AWS. Backups are stored in a separate account and require MFA to access. In addition, annual penetration tests are conducted to explore possible privilege escalation and session management attack scenarios.

What other security measures do you have in place?

  • All data is stored on AWS Servers support by advanced security features which are compliant with ISO 27001 Standard.
  • We have Hardened application and infrastructure surface and carry out third-party penetration testing of our system for known vulnerabilities.
  • We support and recommend two factor authentication for all users. 
  • Code Reviews – every change before uploaded to production undergoes a review and needs to be approved. Changes are reviewed with security in mind.
  • Developer education – we focus on making sure our engineering culture is one where the customer comes first and this includes protecting both their PII and business data at all times. We educate our developers on the top threats and employ rigorous code review practices such that no one developer can introduce changes without others signing off on it.
  • Passwords – we require a strong password to connect to the application. Passwords are never stored in clear text and are always hashed and salted.
  • Versioning – We have an automated system that ensures that the available system for our users is up to date.
  • High availability – our system was designed to enable high availability; in any case of failure we can update our customers on real-time basis.

What happens if there is a data breach?

We will act in accordance with our strict data security policies in the event of a suspected data breach occurring – 

  1. We will undertake an immediate investigation to determine if a breach has indeed occurred and ensure any future data is secured.
  2. Within 24hrs of a breach being identified we commit to personally notifying the Customer’s effected key account contact.
  3. A formal report on the breach and resolution will be produced and provided to effected clients.
  4. All relevant authorities will be notified as required as part of this process.
  5. Semmel undertakes to co-operate with Customer in their investigations of any such security breaches. 

In addition to the above, Semmel is Cloud SaaS, and our infrastructure is best practice. We achieve resilience through redundancy which is provided by high availability having multiple servers running at any one time. If one fails, there is an automatic failover to others with no disruption to customers. If you or your IT team requires any further information don’t hesitate to contact us on 1300 993 803

Scroll to Top