Sensor has established policies and controls, monitors compliance with those controls, and proves security and compliance to third-party auditors.
We follow the following foundational principles:
- Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
- Security controls should be implemented and layered according to the principle of defense-in-depth.
- Security controls should be applied consistently across all areas of the company.
- The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
What do we collect and store?
- We collect personally identifiable information as required to ensure compliance, generate invoices and to send notifications:
- IP addresses
- Location data
- Contractor License Numbers
- Contractor Insurance Numbers
- Addresses
- Phone numbers
- First name
- Given name
- Email addresses
- We also collect the following company information:
- Company name
- Company location
- Company email contact
- ABN
- Contractor back ID (BSB or similar)
- Contractor Bank Account Number
- Timezone
- We import the above required information via customer software systems, via CSV files or manual data entry.
- We minimise information that we collect, and will never collect drivers license numbers, passport numbers, health insurance numbers.
How do we protect this information?
- We keep a limited access list, with the access to this information limited to Sensor administrators.
- Sensor administrators use 2FA for access to customer data, and access is controlled and recorded.
- All information is encrypted while in transit and at rest.
- We host our services inside AWS Australia through an architecture using firewalls with limited access to individual servers and databases from anyone external to our network.
- VPN access is required for developer access into infrastructure, and access is on a as-required basis.
- MFA is enforced across all infrastructure accounts.
How do we ensure compliance?
- We undergo yearly penetration testing across both our software and network security through the independent company Triskele Labs: Triskele Labs
- We undergo continuous auditing against SOC 2 and ISO 27001 via the Vanta platform: SOC 2, HIPAA, ISO 27001, PCI, and GDPR Compliance
- We use GitHub Dependabot to highlight security vulnerabilities within our software, and we actively resolve any identified issues within defined SLAs.
What third party companies have access to data?
- We use Sendgrid for email delivery — minimal personal data will be passed to Sendgrid expressly for the purposes of email delivery. Their security policy can be found here: Security and their privacy policy here: Website Privacy Notice | Twili
- We use AWS for cloud infrastructure. Their policies can be found here: Data Protection and Privacy | AWS and Security and Compliance in Australia and New Zealand | AWS.