All employees at Clipboard must hold a valid government Working With Children Check or undergo a comparable government background check. Clipboard does not outsource any key functions, including software development.
Security training is completed by all employees as part of their onboarding process and on an annual basis.
All Clipboard employees sign a confidentiality agreement, to protect customer data, as a condition of employment.
Clipboard maintains a detailed, professionally prepared internal HR policy, including policies and procedures for employee onboarding, equipment, and device security, physical security, maintaining privacy and data security, as well as employee offboarding.
External security audits
Clipboard infrastructure and services undergo annual penetration testing by an independent professional third-party cybersecurity firm.
In addition to this, Clipboard conducts its own testing at random to ensure we have a high level of security between these audits.
Incident management and response
Clipboard maintains a formal Cyber Incident Response Plan, alongside an accompanying set of processes and policies. In the event of a security breach, Clipboard will notify you immediately if there has been - or suspected to have been - any unauthorised access to your data.
Clipboard maintains strict controls over employee access to customer data. This data is to only be accessed where absolutely necessary. This is only in conducting customer support or the continued delivery and improvement of the Clipboard service.
Clipboard data is only accessible by members of the Customer Support Team, senior members of the Development Team and employed company directors.
All of our employees are bound by our policies regarding customer data.
Clipboard data is stored in Australia. All data is stored using Amazon RDS in their Sydney Australia data centre.
Data encryption in transit and at rest
All Clipboard data is encrypted in transit and at rest. Clipboard utilises the latest recommended cypher suites and protocols.
Data is encrypted in transit via TLS/SSL (TLS 1.2 and 1.3 only), scoring an A+ rating on Qualys SSL Labs tests.
Data is encrypted at rest via industry-standard AES-256 encryption.
Deletion and return of customer data
Clipboard can delete customer data on request. Data can also be returned to the customer via export or APIs.
Clipboard maintains a documented formal Disaster Recovery Plan which has the aim of establishing procedures for restoring all infrastructure and systems to normal operations as quickly as possible in the event of a disaster.
Broadly, our disaster recovery process involves leveraging the multi-region availability of our servers to restore services from backup, amongst other processes. All customer data is regularly and securely backed up to facilitate this.
We aim for zero data loss. Our systems are backed up daily, and these backups are retained for 35 days. Our systems are also backed up monthly, and these backups are retained for 7 years. This ensures we have sufficient recovery points to restore services promptly.
Authentication and single sign-on
Clipboard supports single sign-on (SSO) via industry standards for user authentication in Clipboard products. Examples of SSO identity providers supported by Clipboard are Microsoft Office 365, Azure AD B2C, Google Apps and many more.
Permissions and admin controls
Clipboard includes granular user permissions which enable a customer to control and restrict access of different users to different pieces of data. Clipboard also supports user roles which allow for read and write access restriction for users.
The Clipboard development team aims for high full code coverage of tests. Testing is a critical part of our software development process. Extensive testing is a built-in part of all product releases via our continuous integration process.
At Clipboard, we target a 99.95% uptime of services. We have systems in place to ensure that our infrastructure remains resilient.
Clipboard infrastructure is distributed across multiple AWS data centres (availability zones), reducing the risk of failure during a single or multiple zone failure. These availability zones are still all within the same region of Sydney, Australia.
Our network is configured with robust firewalls and network security groups to control and restrict unnecessary traffic. We also employ network segmentation to isolate critical components of the service, ensuring containment in case of incidents.
We regularly scan production hosts for vulnerabilities and our team remediates any risks that arise.
Clipboard maintains extensive logs from products and services. Much of this logging is also exposed to school IT administrator users through the user interface.
The Clipboard Development Team utilises monitoring software that provides automatic alerts to notify the team of any security event.
The cybersecurity landscape is constantly shifting, meaning service providers need to always be on their toes and ready to adapt to change. At Clipboard, we are committed to continuously improving our policies and practices relating to data security and privacy.