SECURITY AND TRUST
Enterprise grade security from the start
With FYI your data resides in enterprise-grade AWS cloud servers, encrypted and stored in line with ISO27001 for the highest levels of security, reliability and long-term scalability.
to grow with your practice
We understand that moving to the cloud is a major decision – so FYI uses best-practice architecture for long-term scalability.
to deliver new efficiencies
We release new features and enhancements frequently to deliver our vision to halve the time spent on repetitive admin tasks.
Born in the cloud with unequalled security in mind
Compliance and Certification
Tested and proven security
FYI is certified for ISO 27001, an international standard for information security management.
FYI has been certified by the ATO as a Digital Service Provider. This means that FYI meets the ATO’s requirements for authentication, encryption, certification, data hosting, personnel security and security monitoring practices.o
We are committed to protecting the personal data and privacy of FYI users in EU and EEA countries by ensuring GDPR (General Data Protection Regulation) compliance.
Secure, fast, reliable hosting
Data is stored in Amazon’s AWS data centres in Sydney and London. As we become a global provider, we will also host FYI in the US. AWS is ISO27001 compliant and provides inbuilt, offsite backups, multiple sites synchronisation and disaster recovery.
Encryption at the highest levels
FYI encrypts data both at rest in the cloud and during transit with the highest levels of encryption available.
Absolute best-practice availability
Since our beta launch in November 2019, the total time offline has been 7 minutes – with downtime caused by the Microsoft authentication service being offline. This represents industry absolute best-practice 99.99% availability.
FYI uses the latest in Transport Layer Security encryption on all requests sent between client and server (TLS v1.3, with v1.2 available if needed). System controls have been implemented to prevent cross-site scripting and SQL injection attacks.
All data captured in FYI is encrypted and stored on AWS servers in line with ISO 27001 requirements.
FYI has also allocated separate encryption keys to each subscription, ensuring that each accounting practice has its own layer of protection from unauthorised or illegal access.
Our architecture and product development lifecycle have been guided by best-practice, including the AWS Well-Architected Framework. This ensures the FYI service, which is mission-critical to your practice, is available at the highest level. Through this partnership and regular technical review with AWS, FYI can guarantee high-availability, data redundancy and government-grade security.
FYI works with AWS to have the most up-to-date monitoring and defences against suspicious behaviour, unauthorised attempts to access FYI, and potential ‘denial of service’ attacks and the like.
As part of the regular software development lifecycle, FYI is routinely load tested to prove it can scale to host the billions of documents required. FYI also undergoes regular penetration testing to identify and eliminate any potential security weaknesses.
In the event of an unscheduled outage, business continuity and disaster recovery procedures are initiated to maintain continued business operations and system performance.
Our incident management process ensures we rapidly respond to security events that may affect the integrity or availability of the FYI platform and the data stored within it. Events that affect customers are given the highest priority.
FYI Support is offered during AEST business hours including guaranteed responses within a maximum of 2 hours. For more complicated issues, we will initiate an outbound call.
STORAGE AND BACKUPS
The amount of data storage space allocated to each user is designed to cover fair and reasonable usage of the FYI platform. This varies according to your plan – for example, 50 gigabytes of data for each user on the Intermediate plan. For disk space above this allocation, we charge an extra $5 per user per month for an additional 50 gigabytes for every user.
Your data is dynamically backed up by Amazon (AWS) as part of their core service. Amazon provides inbuilt offsite backups, disaster recovery and multiple sites synchronisation. We also provide the ability for practices to back-up their data locally.
Your historical metadata is maintained in the FYI database for 30 days and we maintain document logs permanently. Deleted documents remain in a restorable state, unless permanently deleted by one of your FYI Admins.
We store a new version of every document you save. This means you can always restore a document back to a prior version, as long as the changes were saved from within FYI.
Your data is being replicated to multiple data centres and backed up in case of disaster. In the case of a Disaster Recovery event, the maximum period of modified data that could be lost is 5 minutes. The maximum time expected to restore data and service is 30 minutes. FYI’s Disaster Recovery is tested every quarter.
Rather than creating an authentication layer requiring yet another username and password, FYI leverages Microsoft Windows user authentication, which is trusted globally for its high standard of security and reliability. To log into FYI, a user only needs to use their Microsoft 365 username and password.
FYI supports multi-factor authentication (MFA) when implemented as part of Microsoft 365. The decision to apply MFA to FYI depends on the administration of Microsoft 365 in your practice.
Access to production databases is strictly controlled and limited to users with a need to access production data for customer support or problem resolution. On request, FYI will securely delete a customer’s data.
Data backups are encrypted and sensitive data is encrypted/masked in the live database.
In-app user permissions allow you to control what data a user can access and what company-wide actions and settings can be controlled.
Your practice retains complete ownership rights of the content you upload to FYI. If you wish to cease using FYI and end your subscription, you can export your documents to a Windows Explorer directory structure.
All user actions that create, modify or remove data in FYI are audited. These audit records are retained and can be provided to customers on a request-by-request basis.
FYI is a multi-tenanted system. Each customer account has a unique identifier that is used across the entire platform to identify data owned by that account.
The FYI product development team identify and assess any security related risks as part of all new feature development work.
Human Resources Security
A comprehensive set of security policies are enforced amongst all FYI employees and contractors with access to FYI information assets. This includes policies for the use of two-factor authentication, protection of passwords, personal firewalls, and avoiding unsecured devices and networks.
Every FYI employee undergoes security training as part of the orientation and onboarding process. New employees receive information on FYI’s commitment to keep customer information safe and secure.
Like to learn more about using FYI in your practice?
We'd love to help