The FYI platform has been developed using best-practice architecture for security, reliability and long-term scalability.
Certification
FYI has achieved OWASP grade security, has been certified by the ATO as a Digital Service Provider, and is certified for ISO 27001, an international standard for information security management.
Data Security
Data Encryption
FYI encrypts data both in transit and at rest. This ensures your information is safe when it is sitting idle on the Amazon Web Services (AWS) servers or being accessed in transit via the FYI application. FYI has also taken the additional step of allocating separate encryption keys to each subscription, ensuring that each accounting practice has its own layer of protection from unwanted or illegal access.
Authentication
Rather than creating an authentication layer requiring yet another username and password, FYI leverages the Microsoft Windows user authentication to identify users when logging in. Microsoft is trusted globally by millions of people for its high standard of security and reliability. To log in to FYI, a user only needs to use their Microsoft 365 username and password. Therefore, what is enabled for Microsoft 365 in terms of authentication applies to FYI. We support 2FA when implemented as part of Microsoft 365.
The decision to have multi-factor authentication (MFA) depends on the administration of Microsoft 365 by the administrator. In order to apply MFA authentication, please follow these instructions provided by Microsoft.
Please note it is the responsibility of your IT team to implement policies around employee devices, including approving devices and unauthorised access. For any queries, please refer to your IT administrator.
Security Assessments
FYI engages external consultants to perform annual security assessments including penetration tests.
Privacy
FYI complies with both Australian and UK privacy laws.
Access and Permissions of an FYI Admin
An FYI Admin user has access to all FYI functions and access to all documents, including where Security has been enabled for a client (refer to Client Security). This access and permission level includes the ability to bulk export client documents from FYI.
FYI recommends regularly reviewing your FYI Admin user list and adjusting as needed.
Data Ownership
At all times you retain complete ownership rights of the content you upload to FYI. Your practice always owns your data.
If you want to leave at any time, an FYI Admin can request that your account is deleted from Practice Settings - General - Account. A member of FYI will get in touch with you to facilitate the export of your data. Refer to Deleting your FYI Account.
Hosting and Reliability
AWS Well-Architected Framework
FYI has been designed using the AWS ‘Well-Architected Framework’, ensuring that the solution is secure, high-performing, resilient, and makes the most efficient use of the AWS infrastructure. Through this partnership and regular technical review with AWS, FYI can guarantee high availability, data redundancy and government-grade security.
Hosting
For Australian and New Zealand clients, data is stored and backed up in Amazon’s AWS data centres in Sydney. For our UK clients, the data is hosted in AWS's London data centres. AWS is ISO27001 compliant and provides inbuilt, offsite backups, disaster recovery, multiple sites synchronisation and more. As we become a global provider, we will host FYI in the UK and the US.
Each practice’s documents are stored in their own discreet store within AWS. The documents for every practice are encrypted using a unique set of public/private keys to ensure no other practices can access unauthorised information.
24-7 Protection
FYI works with AWS to have the most up-to-date monitoring and defences against ‘denial of service’ attacks and the like.
Availability and Service Levels
Since our beta launch in November 2019, the total time we have been offline is 7 mins. This downtime was caused by the Microsoft authentication service being offline. This represents the industry absolute best practice of 99.9% availability.
Regular Load Penetration and Testing
As part of the regular software development life-cycle, FYI is routinely load tested to prove it can scale to host the billions of documents required. FYI also undergoes regular penetration testing to identify and eliminate any potential security weaknesses.
Data Storage Space
The licensing of FYI depends on your FYI plan. But as a summary, each user on our document management plans is entitled to 50 gigabytes of data. For disk space in excess of each plan, we charge an extra $5 per user per month for an additional 50 gigabytes for every user.
Data Backup and Recovery
Backup
Your data is dynamically backed up by Amazon (AWS) as part of their core service. Amazon provides inbuilt offsite backups, disaster recovery, multiple sites sync etc. We also provide the ability for practices to back-up their own data locally.
Your historical metadata is maintained in the FYI database for 30 days and we maintain document logs permanently. Deleted documents remain in a restorable state unless permanently deleted by one of your FYI Admins.
We store a new version of every document you save. This means you can always restore a document back to a prior version, as long as the changes were saved from within FYI.
Disaster Recovery
Your data is being replicated to multiple data centres and backed up in case of disaster. In the case of a Disaster Recovery event, the maximum period of modified data that could be lost is 5 minutes. The maximum time expected to restore data and service is 30 minutes. FYI’s Disaster Recovery is tested on a quarterly basis.
Bandwidth utilised by FYI
FYI does not require any more bandwidth than you expect from similar functions using SharePoint. FYI does not use any specific port.
Note: The "health" of each user's OneDrive does impact the useability of FYI. If the user's OneDrive is syncing other folders, then FYI key workflows such as editing office documents can be affected.
Support
FYI Support is offered during AEST business hours including guaranteed responses within a maximum of 2 hours.
When your trial account is set up, FYI automatically sets up a 'Support User' in your platform. Practices are not charged for this user in their subscription. This user is used by the FYI Support team to troubleshoot and provide assistance where a support ticket has been raised. It has limited access relating to Microsoft Office, Outlook and OneDrive, as it does not have all the functionality of a regular Microsoft365 account such as it cannot file emails from Outlook to FYI, edit documents directly from FYI or preview documents via OneDrive.
