Security and Compliance
Our clients handle sensitive data that is subject to overlapping information security regulations, privacy laws, and governance requirements. Such sensitive data requires stringent confidentiality, integrity, and availability controls.
EDT implements a multi-layered approach to privacy and security so that our SaaS solutions comply with regulatory requirements and industry best practices.
We adopt security-by-design and privacy-by-design principles to embed data protections into our operations, services, and solutions.
EDT maintains a comprehensive, accredited, and audited information security management system (ISMS) designed to ensure we adhere to infosec best practices and standards across our operations.
AWS data centres
EDT’s software-as-a-service (SaaS) solutions are hosted in Amazon Web Services (AWS) to take advantage of AWS’s scalability, high availability, and robust privacy and security standards. AWS data centres apply multiple levels of physical and digital controls.
The AWS data centres used to host EDT’s SaaS solutions are SOC 2 Type II and SOC 3 audited and ISO/IEC 27001:2013, FedRAMP, and IRAP certified.
Clients can choose which AWS data centres host their data to ensure they comply with data sovereignty regulations and their risk management plans.
Dedicated environments for each client
Each client environment has a single tenancy architecture with its own dedicated database and file system instance.
Secure development and deployment
EDT’s multi-framework ISMS applies hundreds of security controls to ensure our software is developed, deployed, and managed securely. These controls include:
- Our Secure Product Development and Deployment Policy, driven by coding practices that use OWASP threat modelling and analysis, vulnerability scanning, and peer review of code
- Data encryption in transit and at rest with ciphers and cryptography methods configurable to meet client standards or regulatory requirements
- High availability architecture using multiple AWS Availability Zones within an AWS Region
- Data backup frequency and retention periods configured to meet client needs and a comprehensive Business Continuity and Disaster Recovery Plan
- Host-based security software that provides anti-malware and other security modules
- An ongoing vulnerability detection and management program
- Third-party penetration testing conducted at least annually for each client environment
- Background checks, confidentiality agreements, and security and confidentiality training for all personnel including employees and contractors
- Restricted administrative access to client systems governed by role-based access controls and the principle of least privilege.