Approach to Security
How we treat your data and documentation, and the key systems we use
The purpose of this security statement is to present how geoworx stores and treats documentation and data used in projects undertaken. For specific questions on security please email firstname.lastname@example.org or give us a call.
In summary, we take our and your security seriously.
Storage and Transmission of documents and data
Microsoft 365 E3
As a new start-up company (June 2019), there was every reason to adopt best practice and to minimise the potential for mistakes in setting up our internal data and IT structures. Microsoft 365 E3 was chosen as the key place to start, along with Azure AD. We use Microsoft Intune. Our Microsoft 365 account is hosted in Australia, and we only use MS Azure resources in Australia.
We take security very seriously. We recognise that encryption is our best friend, so all of our laptops and desktops have BitLocker turned on (by policy). We only primarily use Windows 11 Pro/Enterprise (with development machines still using Windows 10 Pro) and we use endpoint.microsoft.com to push updates to all devices.
The consultants at geoworx need elevated permissions to do our jobs and so we have local admin permissions on our laptops, and where necessary we are Azure AD admins as well.
Our mobile devices are all iOS. We are a BYOD organisation. We encourage collaboration and recognise the value of mobile working. Intune mobile policies are in use for these devices. We can (and will) destroy data remotely if needed.
We actively use SharePoint 365 and OneDrive. All customer-related project documentation is stored exclusively in SharePoint 365. We use OneDrive to store data and to ensure it is replicated. If a project requires a large dataset then we use internal file shares. We keep data local on our machines as well as in the cloud. All users authorised to access project data/documents will have the encrypted data stored locally. This ensures that all records exist in multiple places for backup and recovery purposes.
We use Azure AD for authentication to any other online services, where that is required. This includes ArcGIS Online and our own ArcGIS Enterprise environment.
We use an End Point security tool on every machine which is kept up to date. We also have folder level policies to protect us from Malware.
Yes, we have internal servers for development and pre-sales purposes. Where we use VM's they are stored on physical disks that have BitLocker applied and we use BitLocker on the Virtual Disks used by that VM. There are no exceptions to this rule. All VM's hosted internally by geoworx are for Sales and Marketing only. We do not host applications or services. Where customer data is needed on those devices, it will only be hosted with the prior agreement of the customer for a genuine business outcome. All VM's are Domain Joined, using an internal domain controller that is configured in a hybrid configuration with Azure AD. Customer data will be removed and deleted as soon as practicable, and not retained beyond the agreed timescales.
We maintain an internal Certification Authority for HTTPS encryption. We only use TLS1.2 with strong cyphers. A reverse proxy is in place and only HTTPS inbound traffic is allowed. The reverse proxy is in a DMZ and multiple subnets are in use, along with all devices being on a Windows Domain. Strong passwords are used for all devices, services and users.
We maintain a NAS for the storage of larger datasets. This is domain joined. Disks are in a Raid 1 configuration and encryption at rest is applied to all disks.
Data and documentation
Documentation supplied to geoworx, related to a project will be retained for a minimum of 2 years, unless geoworx is instructed to delete it. Data will not be retained beyond the project itself. Documents that geoworx creates on behalf of the customer and all internal documentation related to a given project will be retained for up to 10 years. As noted above, customer data is only stored in SharePoint, OneDrive or where large datasets are in use then we will use an internally hosted NAS.
All data and documentation will be shared via email or SharePoint using the encryption levels provided by Microsoft 365. HTTP will never be used by geoworx for official business. If a customer requests us to use their FTP site or other methodologies then we will do so at the customers' own risk and instruction. Once the data or documentation is received into geoworx systems it will be stored in line with the comments above.
Use and storage of other business information
We only use strong passwords on our machines and for our services. We store passwords in a password safe. The password safe is kept within MS OneDrive to the same standards as our other data and documents.
We are happy to be audited. We will work with any customer and their security representatives to prove or improve our systems.
Our business is based from home offices. We use encryption to protect our and your data. Normal physical security for a home-office is present. We are not a hosting company, we use cloud services or the customers own infrastructure for any deliverables beyond the pre-sales engagement.
Personal Security - staff and sub-contractors
We value our staff and the value they bring to customers. Integrity is key to that delivery. If requested for a given project, then geoworx staff and sub-contractors will undertake Ministry of Justice or Police checks.
Version 1.2 - Published 20/10/2019 - Updated 07/10/2023