See how Clipboard securely manages and stores data
At Clipboard, our top priority is data security and privacy. In everything we do, security is our first consideration. Below, we’ve provided some key information on our security practices.
Company
Clipboard has been assessed by Safer Technologies for Schools and holds the ST4S badge. You can verify Clipboard’s badge at this link here.
Clipboard complies with the Australian Privacy Principles, under the Privacy Act 1988. Clipboard is hosted on Amazon Web Services, which itself maintains ISO 27001 certification, PCI certification, SOC reports, and other compliance certifications. See the AWS Compliance Programs web page for more information.
All employees at Clipboard must hold a valid government Working With Children Check or undergo a comparable government background check. Clipboard does not outsource any key functions, including software development.
Security training is completed by all employees as part of their onboarding process and on an annual basis.
All Clipboard employees sign a confidentiality agreement, to protect customer data, as a condition of employment.
Clipboard maintains a detailed, professionally prepared internal HR policy, including policies and procedures for employee onboarding, equipment, and device security, physical security, maintaining privacy and data security, as well as employee offboarding.
Clipboard infrastructure and services undergo annual penetration testing by an independent professional third-party cybersecurity firm.
In addition to this, Clipboard conducts its own testing at random to ensure we have a high level of security between these audits.
Clipboard maintains a formal Cyber Incident Response Plan, alongside an accompanying set of processes and policies. In the event of a security breach, Clipboard will notify you immediately if there has been - or suspected to have been - any unauthorised access to your data.
We adhere to the Australian Notifiable Data Breaches Scheme under the Privacy Act 1988.
Clipboard maintains strict controls over employee access to customer data. This data is to only be accessed where absolutely necessary. This is only in conducting customer support or the continued delivery and improvement of the Clipboard service.
Clipboard data is only accessible by members of the Customer Support Team, senior members of the Development Team and employed company directors.
All of our employees are bound by our policies regarding customer data.
Data
Clipboard data is stored in Australia. All data is stored using Amazon RDS in their Sydney Australia data centre.
All Clipboard data is encrypted in transit and at rest. Clipboard utilises the latest recommended cypher suites and protocols.
Data is encrypted in transit via TLS/SSL (TLS 1.2 and 1.3 only), scoring an A+ rating on Qualys SSL Labs tests.
Data is encrypted at rest via industry-standard AES-256 encryption.
Clipboard can delete customer data on request. Data can also be returned to the customer via export or APIs.
Clipboard maintains a documented formal Disaster Recovery Plan which has the aim of establishing procedures for restoring all infrastructure and systems to normal operations as quickly as possible in the event of a disaster.
Broadly, our disaster recovery process involves leveraging the multi-region availability of our servers to restore services from backup, amongst other processes. All customer data is regularly and securely backed up to facilitate this.
We aim for zero data loss. Our systems are backed up daily, and these backups are retained for 35 days. Our systems are also backed up monthly, and these backups are retained for 7 years. This ensures we have sufficient recovery points to restore services promptly.
Product
Clipboard supports single sign-on (SSO) via industry standards for user authentication in Clipboard products. Examples of SSO identity providers supported by Clipboard are Microsoft Office 365, Azure AD B2C, Google Apps and many more.
Clipboard includes granular user permissions which enable a customer to control and restrict access of different users to different pieces of data. Clipboard also supports user roles which allow for read and write access restriction for users.
The Clipboard development team aims for high full code coverage of tests. Testing is a critical part of our software development process. Extensive testing is a built-in part of all product releases via our continuous integration process.
Infrastructure
At Clipboard, we target a 99.95% uptime of services. We have systems in place to ensure that our infrastructure remains resilient.
Clipboard infrastructure is distributed across multiple AWS data centres (availability zones), reducing the risk of failure during a single or multiple zone failure. These availability zones are still all within the same region of Sydney, Australia.
Our network is configured with robust firewalls and network security groups to control and restrict unnecessary traffic. We also employ network segmentation to isolate critical components of the service, ensuring containment in case of incidents.
Clipboard maintains extensive logs from products and services. Much of this logging is also exposed to school IT administrator users through the user interface.
The Clipboard Development Team utilises monitoring software that provides automatic alerts to notify the team of any security event.
We regularly scan production hosts for vulnerabilities and our team remediates any risks that arise.
Continuous improvement
The cybersecurity landscape is constantly shifting, meaning service providers need to always be on their toes and ready to adapt to change. At Clipboard, we are committed to continuously improving our policies and practices relating to data security and privacy.
