# DX2 security accreditations
- DX2 operates on Microsoft Azure which is ISO/IEC 27001 certified.
- Storecove the access point provider we use for e-invoicing is ISO 27001 certified.
# Data security
At DX2 we utilise the Microsoft Azure Cloud which we have configured to secure your data using;
Encryption at rest - Safeguard data
Encryption in flight - Secure the network
Azure ADB2C & Azure AD Federation- Manage Identity and Control Access
Azure Key Vault -Key, secrets and certificate management
Compliance - Azure Compliance Documentation
Exceptions
(In-Secure) Transports traverse networks and systems outside the control of DX2.
# Confidentiality and integrity of data
As a cloud native service, DX2 Digital Business has been designed with security in mind. All DX2 data, web hosting and authentication uses Azure technology. We leverage Azure app service, data storage and authentication. We utilise Azure SQL safeguarded further by Azure’s Network Security features (firewall access only within Azure), Azure Key Vault, Threat Protection and Tenancy Protection.
DX2 uses Azure B2C (OAuth 2.0) and OpenID Connect standards. DX2 also leverages the Azure security and threat monitoring for ongoing risk analysis and improvement as technology changes around us.
# Data retention
We will store all your data on the DX2 network for as long as you have an account open with us unless you otherwise ask us to destroy it in which case it will be destroyed permanently.
All data is retained in Azure data storage. Data and documents related to transactional activities are stored on the platform indefinitely. There may be additional storage if the material being stored or storage usage is inconsistent with the level of transactional activity.
# Third party access to data
- DX2 is hosted on Microsoft Azure; Microsoft guarantees data protection. Microsoft will not use your data without your agreement. Microsoft complies with broadly applicable privacy laws such as the GDPR and privacy standards such as the world’s first international code of practice for cloud privacy, ISO/IEC 27018. Microsoft, and Olympic (DX2) do not share your data with advertiser-supported services, nor do we mine it for any purposes like marketing research or advertising. Olympic (DX2) only shares your personal data with third parties as stated in our Privacy Policy ).
# Data sovereignty
Microsoft Azure - Questions and Answers on data residency and compliance
# Excerpt from the link
Questions about the security of and control over customer data, and where it resides, are on the minds of cloud customers today. We’re hearing you, and in response, we published a whitepaper that gives clear answers and guidance into the security, data residency, data flows, and compliance aspects of Microsoft Azure. The paper is designed to help our customers ensure that their customer data on Azure is handled in a way that meets their data protection, regulatory, and sovereignty requirements.
Transparency and control are essential to establishing and maintaining trust in cloud technology, while restricted and regulated industries have additional requirements for risk management and to ensure ongoing compliance. To address this, Microsoft provides an industry-leading security and compliance portfolio.
Security is built into the Azure platform beginning with the development process, which is conducted in accordance with the Security Development Lifecycle (SDL). Azure also includes technologies, controls, and tools that address data management and governance, such as Active Directory identity and access controls, network and infrastructure security technologies and tools, threat protection, and encryption to protect data in transit and at rest.
Microsoft gives customers options so they can control the types of data and locations where customer data is stored on Azure. With the innovation of the security and compliance frameworks, customers in regulated industries can confidently run mission-critical workloads in the cloud and leverage all the advantages of Microsoft’s hyperscale cloud.
# Data location (cloud / on prem, region, provider etc.)
Microsoft Azure Cloud, in the Australia Southeast / Australia East regions, with Geo-Redundant / Backup copies spread between those regions.
Amazon Web Services, in Australia South East for Search acceleration.
Please note:
Search Acceleration will be moved to Azure when available in our region.
The Azure New Zealand North region may be used when available.
# Quality assurance processes
- Our development lifecycle includes code reviews, regression testing, unit testing. These are completed daily.
# Secure transport mechanisms
There are many Transport Mechanisms for sending and receiving data on the DX2 platform;
(Secure) HTTPS - REST API with user controlled API Token Connector.
(Secure) SFTP - User controlled SFTP Connector.
(Secure) DX2 Gateway - Client's on-premises application that leverage the HTTPS - REST API to send / receive documents.
(Secure) DX2 Portal - Document Upload / Document Download.
(Secure) Xero Connector - User controlled Xero Connector, OAuth protected.
(In-Secure) FTP - User controlled FTP Connector.
(In-Secure) Email - DX2 Email for Inbound and Outbound documents.
DX2 Intermediate Service - Can be used in both (Secure) and (In-Secure) modes, to connect to REST based external APIs.
Please Note We recommend you use Secure Transport Mechanisms where possible. For details see Introduction to Connectors
# User access to data
Only those users that you have given permission to, can access your data as it traverses DX2.
The Trading Partner you either sent or received the document from or to, can also control who has access to their document / data.
You can control who has access to your documents / data through your portal and APIs. This is done by Managing your Users or Managing your Connectors. By the use of Security Groups users can be granted Roles & Permissions which control what they can see and do.
The Trading Partner you either sent or received the document from or to, can do the same, they can control who has access to their document / data.
Some pieces of information are just for you;
Account Codes
Analysis Tags
Distribution Lines
Value Mappings
All configuration changes are Audited; recording who changed what, when. Each document contains a Document Timeline and Document Activities, which detail events that happen over the document's lifetime, and display communications regarding this document with your users and trading partner.
Olympic has rights to view data as necessary to investigate and resolve support cases.