The FYI platform has been developed using best-practice architecture for security, reliability and long term scalability.
FYI has achieved OWASP grade security, has been certified by the ATO as a Digital Service Provider, and is certified for ISO 27001, an international standard for information security management.
FYI encrypts data both in transit and at rest. This ensures your information is safe when it is sitting idle on the AWS servers or being accessed in transit via the FYI application. FYI has also taken the additional step of allocating separate encryption keys to each subscription, ensuring that each accounting practice has their own layer of protection from unwanted or illegal access.
Rather than creating an authentication layer requiring yet another username and password, FYI leverages the Microsoft Windows user authentication to identify users when logging in. Microsoft is trusted globally by millions of people for its high standard of security and reliability. To log into FYI, a user only needs to use their Microsoft 365 username and password. Therefore, what is enabled for Microsoft 365 in terms of authentication applies to FYI. We support 2FA when implemented as part of Microsoft 365.
The decision to have multi factor authentication (MFA) depends on the administration of Microsoft 365 by the administrator. In order to apply MFA authentication, please follow these instructions provided by Microsoft:
FYI engages external consultants to perform annual security assessments including penetration tests.
FYI complies with both Australian & UK privacy laws.
At all times you retain complete ownership rights of the content you upload to FYI. Your practice always owns your data.
If you want to leave at any time, anyone with the role of administrator can download all documents in a logical folder hierarchy of client and the metadata. Refer to Bulk Export.
Hosting and Reliability
AWS Well-Architected Framework
FYI has been designed using the AWS ‘Well-Architected Framework’, ensuring that the solution is secure, high-performing, resilient, and makes the most efficient use of the AWS infrastructure. Through this partnership and regular technical review with AWS, FYI can guarantee high-availability, data redundancy and government-grade security.
For Australian and New Zealand clients, data is stored in Amazon’s AWS data centres in Sydney. For our UK clients the data is hosted in AWS's London data centres. AWS is ISO27001 compliant and provides inbuilt, offsite backups, disaster recovery, multiple sites synchronisation and more. As we become a global provider, we will host FYI in the UK and the US.
Each practice’s documents are stored in their own discreet store within AWS. The documents for every practice are encrypted using a unique set of public / private keys to ensure no other practices can access unauthorised information.
FYI works with AWS to have the most up-to-date monitoring and defences against ‘denial of service’ attacks and the like.
Availability and Service Levels
Since our beta launch in November 2019, the total time we have been offline is 7 mins. This down-time was caused by the Microsoft authentication service being offline. This represents an industry absolute best practice of 99.9% availability.
Regular Load Penetration and Testing
As part of the regular software development life-cycle, FYI is routinely load tested to prove it can scale to host the billions of documents required. FYI also undergoes regular penetration testing to identify and eliminate any potential security weaknesses.
Data Storage Space
The licensing of FYI depends on your FYI plan. But as a summary, each user for our document management plans are entitled to 50 gigabytes of data. For disk space in excess of each plan, we charge an extra $5 per user per month for an additional 50 gigabytes for every user.
Data Backup and Recovery
Your data is dynamically backed up by Amazon (AWS) as part of their core service. Amazon provide inbuilt offsite backups, disaster recovery, multiple sites sync etc. We also provide the ability for practices to back-up their own data locally. Back-ups are retained for 30 days.
Your data is being replicated to multiple data centres and backed up in case of disaster. In the case of a Disaster Recovery event, the maximum period of modified data that could be lost is 5 minutes. The maximum time expected to restore data and service is 30 minutes. FYI’s Disaster Recovery is tested on a quarterly basis.
FYI Support is offered during AEST business hours including guaranteed responses within a maximum of 2 hours.