1. Overview of BGL’s Web Applications
BGL Corporate Solutions is Australia’s leading developer of SMSF administration and ASIC corporate compliance software solutions.
Simple Fund 360 is an intelligent, cloud-based SMSF software for accountants to efficiently manage the administration of self-managed superannuation funds. Currently, over 250,000 SMSFs are administrated using Simple Fund 360,
CAS 360 integrates with industry-leading practice management, company document and e-signature providers to ensure you have a seamless and efficient experience. Currently, over 700,000 companies are managed using CAS360.
Developed with innovative, award-winning technology, Simple Invest 360 is an end-to-end wealth portfolio solution for managing trusts, companies and individuals.
2. Data Security
BGL’s cloud solutions, CAS 360, Simple Fund 360 and Simple Invest 360, have successfully achieved the ISO 27001 certification since January 2020. It is a testimony that delivering efficient, reliable, and secure cloud solutions is BGL’s highest priority.
BGL’s infrastructure and online software security is regularly reviewed by external security specialists. These highly trained security specialists run penetration tests every six months to systematically identify and exploit security flaws within the BGL's web application as per the OWASP Application Security Verification Standard 3. OWASP is a worldwide not-for-profit charitable organisation focused on improving the security of software.
In addition to running regular external tests, CAS 360 servers run the latest UNIX-based operating systems, firewalls, and have perimeter-based security policies applied which protect against unauthorised service access. Requests to internal hosts are logged and monitored continuously to ensure that only authorised internal clients are accessing the services.
3. Data Backup Controls
BGL's Cloud Products have been designed to support mission-critical databases. Databases are replicated across multiple servers and across multiple Availability Zones (AZs).
BGL performs complete backups of data every hour, and every night, to ensure that the Recovery Point Objective (RPO) is not greater than one hour. BGL also ensures that the implemented storage solutions are highly scalable, durable, and reliable for backups.
4. Security Standards
BGL’s applications are signed by a Secure Socket Layer (SSL) certificate, which means that all data transferred between your Internet Browser and the BGL application is encrypted.
BGL's Secure Socket Layer (SSL) connections utilise the latest Perfect Forward Secrecy. This security feature uses a derived session key to provide additional safeguards against eavesdropping on encrypted data.
This prevents the decoding of captured data, even if the secret long-term key is compromised. In addition to that, the application load balancer utilises the latest Elliptic Curve Cryptography (ECDHE) cipher suites, which most internet browsers currently support, in order to ensure that newer and more secure cipher suites are available for our clients. For that reason, it is always advised that clients use up-to-date browsers to make use of these stronger cipher suites for communication.
With regards to access protection from the end user side, credentials with complex passwords are required to log in, plus Multi-Factor Authentication (MFA). For password resets, end users receive the password reset emails directly to their email address.
Users can only access information that they have permission to view. Access in BGL's Cloud Products is role-based, where the Practice Administrator can create accounts and assign permissions depending on the role of the user, as he/she has complete control over who can access which information. All User accounts have an audit trail with logs that include the performed action and the IP address where the action came from.
Sensitive fields in databases are encrypted at rest. (more information in section 11. Encryption of Data)
- Simple Fund 360 and Simple Invest 360: Hosted and stored in Australia only using multiple Availability Zones (AZs).
- CAS360 Australia: Hosted and stored in Australia using multiple Availability Zones (AZs).
- CAS360 New Zealand: Hosted and stored in Australia using multiple Availability Zones (AZs).
- CAS360 Singapore: Hosted and stored in Singapore using multiple Availability Zones (AZs).
5.1 BGL uses world-class Hosted Data Centres
BGL’s chosen Data Centres are located in Australia and Singapore and isolated from BGL’s own internal office networks. Only strictly controlled BGL staff with authorisation can remotely access the servers which house the data. BGL regularly reviews access control, and when an employee no longer has a business need for these privileges, his or her access is immediately revoked.
BGL uses Amazon Web Services (AWS) world-class, highly secure data centres utilizing state-of-the-art electronic surveillance and multi-factor access control systems. Data centres are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis.
5.2 Storage Device Decommissioning
When a storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. The chosen data centre uses the techniques detailed in DoD 5220.22M (“National Industrial Security Program Operating Manual“) or NIST 80088 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
5.3 Security Controls
The Data Centers are built in an environment with extensive and validated security and controls, including:
- Service Organization Controls 1 (SOC 1) Type 2 report (formerly SAS 7011 Type II report), with periodic independent audits to confirm security features and controls that safeguard customer data.
- ISO 270001 Certification is an internationally recognized security management standard that specifies leading practices and comprehensive security controls following the ISO 27002 best practice guidelines.
- PCI DSS12 Level 1 compliance, independent validation of the platform for the secure use of processing, transmitting and storing credit card data.
- Relevant government agency and public sector compliance qualifications, such as an ITAR-compliant environment.
- AWS Security Compliance Programs: https://aws.amazon.com/compliance/programs/
5.4 Service Availability
Whilst BGL intends that the Software will be available 24 hours a day, seven days a week, 365 days a year, it is possible that on occasions, the Software may be unavailable for reasons within the control of BGL (i.e., for scheduled or unscheduled Software updates) or for reasons outside the control of BGL (i.e., the data centres have power outages and all backup generators fail). BGL will use reasonable endeavours to notify you in advance of any planned outages and will notify you as soon as possible of any unplanned outages. BGL will use commercially reasonable efforts to make the Software available with an uptime percentage of at least 99.9%.
The BGL Service Status page is - https://status.bgl360.com.au/
6. Privacy of my data
It is BGL’s priority to ensure the security and privacy of data. BGL continuously ensures that all its employees handle and treat data with utmost privacy. In addition, BGL applies the least privilege access principle to its employees and controls all access to the Amazon Web Services cloud storage service (Simple Storage Service (S3) buckets) and databases through well-defined Identity and Access Management (IAM) policies - http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
For monitoring, BGL utilises the following:
- Amazon Web Services (AWS) services to monitor server and database health
- Third-party software for additional monitoring of servers and of BGL's applications
- Email and SMS alerts to keep relevant BGL staff notified of any critical alerts
8. Data management lifecycle (creation, storage, retention, removal)
BGL retains customer data for five years after a subscription expires. Customers can delete their own data at any point before the five years expiration date.
Management of the physical servers is handled by Amazon Web Services (AWS).
When a storage device has reached the end of its useful life - For more information, please refer to 5.2
9. Encrypted connections between BGL and Amazon Web Services (AWS)
The infrastructure of all BGL cloud solutions is located and hosted at Amazon Web Services (AWS). BGL employees access the infrastructure either through the Amazon Web Services (AWS) management console over an internet web browser or through a secure Virtual Private Network (VPN) connection. A connection that is done over the Web Browser would be encrypted through the 256-bit Secure Socket Layer (SSL) certificate, and a connection that is done through the Virtual Private Network (VPN) would also be encrypted with the Virtual Private Network (VPN) certificate to ensure a secure tunnel connection to the infrastructure.
10. Encryption of data
BGL's Cloud Products are Web Applications that are accessible through Internet Browsers, and to ensure the protection and confidentiality of the data flowing between the end user and Web Application, BGL makes available a 256-bit Secure Socket Layer (SSL) certificate to securely encrypt the transmitted data.
BGL also ensures that critical or identifiable fields such as TFNs are encrypted at rest using 256-bit Advanced Encryption Standard (AES) encryption keys.
To find out more about data encryption, read - Encrypting Data at Rest - https://d0.awsstatic.com/whitepapers/AWS-Securing-Data-at-Rest-with-Encryption.pdf
11. Data Backup
BGL utilises the Amazon Web Services (AWS) database, which is called the Relational Database Service (RDS). There is a default scheduled backup, operated by Amazon Web Services (AWS), for the Relational Database Service (RDS) that occurs once every 24 hours. In addition to that, as a second backup plan, BGL has scheduled another Relational Database Service (RDS) backup/snapshot to run on an hourly basis, which in turn shortens the reversible point-in-time to one hour.
12. Disaster Recovery
All of BGL's infrastructure is Multi-Availability Zones, hence the Application spans multiple distant data centres (Availability Zones). Redundant instances for each tier (e.g. web, application, and database) of an application are placed in distinct Availability Zones, thereby creating a multi-site solution.
The Database and the cloud storage resource (Simple Storage Service - S3 bucket) are synced and backed up to the Amazon Web Services (AWS) Tokyo Region for CAS360 Australia, CAS360 New Zealand, Simple Fund360 and Simple Invest 360 and in Sydney Region for CAS360 Singapore. In the unlikely case that all three Amazon Web Services (AWS) data centres (Availability Zones) in production are down, BGL would utilise the Amazon Web Services (AWS) Tokyo region (for Australia and New Zealand) and Sydney Region (for CAS360 Singapore) to manually bring the application online from there. The replicated data to Amazon Web Services (AWS) Disaster Recovery Regions are encrypted in transit and at rest.
Expected Recovery Time Objective (RTO)
AWS EC2 Failure in a Single Availability Zone
Zero - no impact
AWS EC2 Failure in Multiple Availability Zones
Privacy of Data
BGL treats all data with the utmost privacy.