Information Security

Sensor has established policies and controls, monitors compliance with those controls, and proves security and compliance to third-party auditors.

We follow the following foundational principles:

  • Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
  • Security controls should be implemented and layered according to the principle of defense-in-depth.
  • Security controls should be applied consistently across all areas of the company.
  • The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.

What do we collect and store?

  • We collect personally identifiable information as required to ensure compliance, generate invoices and to send notifications:
    • IP addresses
    • Location data
    • Contractor License Numbers
    • Contractor Insurance Numbers
    • Addresses
    • Phone numbers
    • First name
    • Given name
    • Email addresses
  • We also collect the following company information:
    • Company name
    • Company location
    • Company email contact
    • ABN
    • Contractor back ID (BSB or similar)
    • Contractor Bank Account Number
    • Timezone
  • We import the above required information via customer software systems, via CSV files or manual data entry.
  • We minimise information that we collect, and will never collect drivers license numbers, passport numbers, health insurance numbers.

How do we protect this information?

  • We keep a limited access list, with the access to this information limited to Sensor administrators.
  • Sensor administrators use 2FA for access to customer data, and access is controlled and recorded.
  • All information is encrypted while in transit and at rest.
  • We host our services inside AWS Australia through an architecture using firewalls with limited access to individual servers and databases from anyone external to our network.
  • VPN access is required for developer access into infrastructure, and access is on a as-required basis.
  • MFA is enforced across all infrastructure accounts.

How do we ensure compliance?

  • We undergo yearly penetration testing across both our software and network security through the independent company Triskele Labs: Triskele Labs
  • We undergo continuous auditing against SOC 2 and ISO 27001 via the Vanta platform: SOC 2, HIPAA, ISO 27001, PCI, and GDPR Compliance
  • We use GitHub Dependabot to highlight security vulnerabilities within our software, and we actively resolve any identified issues within defined SLAs.

What third party companies have access to data?