The FYI platform has been developed using best-practice architecture for security, reliability and long term scalability.
FYI has achieved OWASP grade security, has been certified by the ATO as a Digital Service Provider, and is certified for ISO 27001, an international standard for information security management.
FYI encrypts data both in transit and at rest. This ensures your information is safe when it is sitting idle on the AWS servers or being accessed in transit via the FYI application. FYI has also taken the additional step of allocating separate encryption keys to each subscription, ensuring that each accounting practice has their own layer of protection from unwanted or illegal access.
Rather than creating an authentication layer requiring yet another username and password, FYI leverages the Microsoft Windows user authentication to identify users when logging in. Microsoft is trusted globally by millions of people for its high standard of security and reliability. To log into FYI, a user only needs to use their Office 365 username and password. Therefore, what is enabled for Office 365 in terms of authentication applies to FYI. We support 2FA when implemented as part of Office 365.
At all times you retain complete ownership rights of the content you upload to FYI. At any time if you wish to cease using FYI and end your subscription, you have the ability to export your content to a Windows Explorer directory structure.
FYI engages external consultants to perform annual security assessments including penetration tests.
FYI complies with Australian privacy law at both a federal and state level.
Hosting and Reliability
AWS Well-Architected Framework
FYI has been designed using the AWS ‘Well-Architected Framework’, ensuring that the solution is secure, high-performing, resilient, and makes the most efficient use of the AWS infrastructure. Through this partnership and regular technical review with AWS, FYI can guarantee high-availability, data redundancy and government-grade security.
For Australian practices, data is stored in Amazon’s AWS data centres in Sydney. AWS is ISO27001 compliant and provides inbuilt, offsite backups, disaster recovery, multiple sites synchronisation and more. As we become a global provider, we will host FYI in the UK and the US.
Each practice’s documents are stored in their own discreet store within AWS. The documents for every practice are encrypted using a unique set of public / private keys to ensure no other practices can access unauthorised information.
FYI works with AWS to have the most up-to-date monitoring and defences against ‘denial of service’ attacks and the like.
Your data is dynamically backed up by Amazon (AWS) as part of their core service. Amazon provide inbuilt offsite backups, disaster recovery, multiple sites sync etc. We also provide the ability for practices to back-up their own data locally. Back-ups are retained for 30 days.
Your data is being replicated to multiple data centres and backed up in case of disaster. In the case of a Disaster Recovery event, the maximum period of modified data that could be lost is 5 minutes. The maximum time expected to restore data and service is 30 minutes. FYI’s Disaster Recovery is tested on a quarterly basis.
Availability and Service Levels
Since our beta launch in November 2019, the total time we have been offline is 7 mins. This down-time was caused by the Microsoft authentication service being offline. This represents an industry absolute best practice of 99.9% availability.
Regular Load Penetration and Testing
As part of the regular software development life-cycle, FYI is routinely load tested to prove it can scale to host the billions of documents required. FYI also undergoes regular penetration testing to identify and eliminate any potential security weaknesses.
FYI Support is offered during AEST business hours including guaranteed responses within a minimum of 2 hours.