Security Measures

Last Updated 16 April 2024

This document describes the organisation and technical measures implemented by Edexia Pty Ltd (Edexia) in order to protect personal data and ensure confidentiality, integrity and availability for the Edexia Software.

This document covers only the measures implemented by Edexia, where data is handled by sub-contractors or subprocessors we have separate agreements in place. Please refer to the Subprocessor List for detailed information about these providers and their terms of service.

Where the Edexia Software is self-hosted (Edexia On-Premise), it is important to remember that you, the Customer, are also responsible for data protection.  

From time to time Edexia may change these measures. This may mean that we replace existing measures with new measures or implement entirely new measures. The intent of these changes will never degrade overall security, but improve or evolve protocols to deal with new or emerging threats, changes to laws or regulations or adopting of new security standards.

Within this document, the following definitions apply:

• “Customer” means any Licensee of the Edexia Software.
• “Edexia Software” means the Edexia software products licensed by Edexia to the Customer pursuant to a Service Agreement.
• “Personal Data” means any information provided or submitted by the Customer or Customer’s authorised users in connection with use of the Edexia Software, in each case relating to any identified or identifiable natural person, that Edexia processes on behalf of Customer.
• “Personnel” all Edexia employees (permanent, contract, casual, full-time and part-time), Edexia’s contractors and any other people or organisations working for Edexia or on our behalf.

Physical Security

To protect your data from physical access by unauthorised personnel. These measures cover data stored by Edexia and do not cover where the customer is self-hosting their own data. 

Measures include:

• Edexia utilises Google data centres to store customer data, further information regarding the physical protections provided by Google cloud.
• Your data is hosted in the Google cloud’s Asia Pacific (Sydney) Region.
• Edexia ensures all data is encrypted at rest within Google cloud to ensure that physical access would not allow access to the data.

System Updates

To protect our systems from exploitation due to publicly known vulnerabilities we will ensure all our systems are running the latest security updates.

Measures Include:

• Ensuring that all operating systems within the organisation are currently supported with security releases
• We ensure that appropriate Personnel receive alerts and notifications from system software vendors and other sources of security advisories and install system software patches regularly and efficiently.
• Review product dependencies every 6 months to ensure we are running the highest compatible versions and make appropriate changes to ensure we remain on supported versions.
• We ensure all Personnel are running up to date software on their devices
• We ensure all Personnel are running up to date anti-malware software on their devices.

Data Access

In order to provide our customers with high quality support services, we may require access to customer data in order to help diagnose issues, provide training services and migrate data. We recognise that with this access we have a great deal of responsibility to protect the data that customers have entrusted to us.

Measures include:

• Edexia has a policy that data will only be accessed on as needed basis, it will never be accessed for any other purposes other than to provide our services as requested.
• Edexia has a policy that customer data will never be exfiltrated or moved from its primary location unless explicitly requested or authorised by the customer.
• Our Personnel will never share Personal Data with unauthorised persons, only nominated people within your organisation can access Edexia support, and communicate with our Personnel.
• Edexia may collect usage data regarding the system, but this data will always be anonymised and will have never include any identifiable information

Data Transmission

When data is being transmitted across networks, specifically public networks like the internet, it is at risk of being intercepted, manipulated or stolen during transfer.

Measures include:

• When transferring data over the internet we will utilise HTTPS TLS 1.2+ for web traffic and SSHv2 for all other traffic
• We recommend that customers only allow remote SSH access to their servers via our predefined network IP addresses to ensure only our Personnel are able to connect.
• If possible we will avoid sharing secrets and certificates. Where it is not possible secrets will be shared via one-time use only links.
• Personal Data may be required to be transmitted in bulk (for example, during an initial implementation, audit or data return). This will be facilitated through the use of encrypted files shared via controlled access sharing. Share links will be set to expire after a short period, and decryption passwords shared via a separate communication medium to the sharing link (e.g. emailed link, verbally provided password).

Development Process

Edexia implements administrative and technical controls to ensure that all code developed is designed, architected and delivered in the most secure ways possible.

Measures Include:

• Edexia has a central repository of code that is only accessible to authorised Personnel. All code contributions to this repository must be reviewed by senior development engineers and pass multiple automated checks before it is authorised to be part of a release.
• Edexia has automatic scanning of code dependencies and supply chain exploits and regularly updates packages.
• The release process is fully automated and must pass a series of automated testing suites before passing. All releases require the supervision and approval of a principal engineer or CTO. Releases must first be delivered to staging environments and tested thoroughly before they can be deployed to production.

Availability and Data Sovereignty

Edexia takes a number of steps to ensure your data remains protected from accidental destruction or loss. Edexia ensures that you have access to your data and that it can be exfiltrated from our systems if required.

Measures include:

• The Personal Data you provide to Edexia remains your property, we do not claim ownership or control over your data. You are responsible for the data that you store in our systems, you must ensure that it does not infringe on the rights or privacy of any other parties, and it is held in accordance with relevant privacy legislation.
• Edexia has business continuity plans in place to manage the risk of key Personnel and infrastructure incidents.
• Edexia has made commitments to comply with all laws applicable to the provision of the services by us including applicable privacy laws

Data Separation

Personal Data from one Customer is always logically separated from that of other Customers, as well as users managed by the customer (such as students).

Measures include:

• File storage is logically separated for each customer.
• Each Customer has their own unique secrets and credentials to ensure that their access cannot be used to access the database or files of other customers.
• We use cloud-based data storage solutions for managing PDF documents uploaded by users to our services. 
• These documents are stored on Google Cloud, which helps us organise data in a structured manner using parent folders. 
• File names are solely used for storage purposes and are not processed or utilised in any other way.
• Access to these documents is restricted to ensure that users can only access their own uploaded data. 
• Users have the capability to delete their data.
•  Data fetching is conducted by the parent folder rather than by file name, which enhances data retrieval processes. 
• The AI systems involved in managing these documents do not have knowledge of the file names; they only process the contents within the files. 
• Each Customer has their own unique secrets and credentials to ensure that their access cannot be used to access the database or files of other customers.
• The infrastructure logs, metrics and usage data is centralised for the purposes of monitoring and observation. We take all reasonable precautions to anonymise this data where possible, however it may from time to time contain Personal Data for the purposes of auditing and identification of system faults or errors.
• If we provide access to data for the purposes of auditing to Customers we will ensure data provided is related to the requesting customer only.

‍