Security & Compliance
What information do we collect and store?
Locatrix is certified to ISO 27001 Information Security Standard. IT security, cybersecurity and privacy protection are vital for Locatrix and it's customers.
- Find out more about our ISO certification here: https://www.iso.org/isoiec-27001-information-security.html
We collect enough information to identify people as required by the Building Fire Safety Regulation 2008 s.45.
One of our core tenants is to collect only the minimum amount of information required by our customers.
We don't require driver’s license numbers, passport numbers, Medicare numbers, etc.
PlanSafe is tailored to the unique needs of our customers, meaning that the information collected varies. Typically, this may include:
Personally Identifiable Information
- Employee/payroll number User type (employee, contractor, etc)
- Work location and role at that location
- Email address
- First name
- Year of birth
- Training records
- Web analytics
- IP address/location
- Site visit activity(pages visited, session length, LMS session ID if relevant)
- Operating system type
- Browser type
- Floor Plans
- Emergency Procedures
- Compliance Documents
- Evacuation Signs Evacuation
- Practice Records
- EPC Meeting Minutes
- Personal Emergency Evacuation Plans
You can see the information collected about you in the "Personal Details" tab once you are logged into PlanSafe.
How is the above information protected?
PlanSafe data is only available to authorised administrators with reporting access.
- Permissions can be applied to ensure that administrators only have access to the records associated with occupants of a specific building.
- Administrator accounts can be linked to single sign-on systems to enable (Two-Factor Authentication) 2FA (not mandatory, but is a recommended best practice).
- (Two -Factor Authentication) 2FA is always required for all Locatrix administration staff.
Data Storage & Encryption
- All information is encrypted both in transit and at a rest.
- Data for each PlanSafe customer is isolated in separate database schemas with unique credentials.
- This means the compromise of one PlanSafe website is less likely to expose data from other PlanSafe websites.
- Our services are hosted by Microsoft Azure in their Australia East and Australia Southeast data centers.
- Our infrastructure is kept in virtual networks/behind firewalls, preventing direct connections to our databases from outside our networks.
- We use GitHub's Dependabot (https://github.com/features/security) to monitor our code for known vulnerabilities and help keep software packages up to date.
How do we ensure compliance with our obligations regarding sensitive data (e.g. reviews of our processes, process documentation etc.)?
Locatrix is ISO-27001 certified (an international standard for information security management).
- This certification comes with the requirement for regular annual audits/reviews performed by a certified third party (Compass Assurance).
- We maintain an extensive set of internal information security policies (over 77 documents covering 114 required controls) that are regularly reviewed.
All Locatrix employees are subject to background checks and regular training across our information security practices.
Locatrix IT systems are protected by both standard malware scanning systems, along with active vulnerability scanning provided by Triskele Labs (a CREST certified provider).
We also subject our systems and applications to regular penetration testing performed by Triskele Labs.
- This means that we pay a security firm to try and hack us so that we're the ones to discover any vulnerabilities in our own systems, instead of malicious hackers.
Our clients regularly require us to complete security questionnaires to ensure that our practices comply with their own internal requirements.
The questions we answer often relate to the requirements contained within the Information Privacy Act 2009 (Qld), the Queensland Government Information Security Classification Framework and the Australian Signals Directorate Essential Eight.
Do any third parties have access to saved data?
Our services are hosted by Microsoft Azure in their Australia East and Australia Southeast data centers.
We push limited data (name + work email address) into two third parties for analytics/troubleshooting purposes.
- Sentry (troubleshooting) - https://sentry.io/security/
- Pendo (analytics) - https://www.pendo.io/data-privacy-security/