Security at Pluss Communities
Pluss Communities: Our Commitment to Robust Security
At Pluss Communities, safeguarding your data is at the heart of our operations. Pluss Communities has achieved
the international security standard ISO 27001:2022 as assessed by independent certified auditors.
Our Security and Privacy team play a crucial role in formulating stringent policies,
implementing advanced controls, monitoring adherence, and demonstrating our security compliance to third-party auditors.
Our security policy operates on four primary principles:
1. Access Control: Access to sensitive data is strictly limited to personnel with a demonstrable business need, operating under the principle of least privilege.
2. Layered Security: Our security controls are designed and implemented following the defense-in-depth principle, ensuring multiple layers of safeguards.
3. Consistent Controls: We apply our security controls uniformly across all business operations, leaving no stone unturned.
4. Evolution of Controls: Our security measures are perpetually improving for enhanced effectiveness, augmented audit-ability, and reduced friction.
Data Protection
Data at Rest: Our storage systems are encrypted at rest, including all customer data and S3 buckets.
Data in Transit: Pluss Communities employs TLS 1.2 or higher for securing data transmission over potential insecure networks. Our application of features like HSTS (HTTP Strict Transport Security) optimises data security during transit.
Secret Management: We entrust the AWS Key Management System (KMS) for managing encryption keys, which are securely stored in Hardware Security Modules (HSMs) and are inaccessible to individuals, including our staff.
Threat Detection: Our API is covered by an advanced service that continuously monitors and analyses network activity and account behavior within our environments to identify potential threats. We receive immediate and detailed alerts for any unusual or unauthorised activities. These alerts enable our security team to swiftly respond to potential threats, minimising any impact on your data.
Backups: We perform regular backups of all data, ensuring that we can quickly restore information in the event of data loss or corruption. Our database has 35-day point-in-time-recovery and we retain backups for a minimum of 365 days. Our backup processes are regularly tested and verified for reliability, ensuring rapid data recovery when needed.
Storage location: All data is hosted in Australia exclusively (including backups)
Product Security
Security Testing: Security is integrated into every stage of our software development lifecycle. We conduct rigorous security testing early and often, identifying and mitigating vulnerabilities long before they reach production.
Penetration Testing: We collaborate with top-tier penetration testing firms annually to rigorously assess our product and cloud infrastructure. We ensure thorough testing by granting full source code access to our testers.
Vulnerability Scanning: As part of our Secure Development Lifecycle (SDLC), we mandate vulnerability scanning at key stages. This includes static analysis (SAST), malicious dependency scanning, dynamic analysis (DAST) of running applications.
Enterprise Security
Endpoint Protection: All corporate devices are fitted with anti-malware protection and data leakage prevention tools.
Vendor Security: We apply a risk-oriented approach to vendor security, evaluating each vendor based on their access to customer and corporate data, their integration with production environments, and their potential impact on the Pluss Communities brand.
Security Education: Our comprehensive security training program is provided to all employees upon onboarding and annually thereafter. We also conduct regular threat briefings to keep our teams informed and equipped to handle the latest security updates and best practices.
At Pluss Communities, we stand firmly behind our commitment to your security. We persistently review and enhance our security measures to stay ahead of evolving threats, ensuring the protection of your data to the highest standards.