System Security

1. Overview

Data Zoo utilises firewalls and encryption, which is used to protect all data and our applications. Databases have built in security that prevents unauthorised access. All transactions are user and IP logged. Our data is securely stored in a Tier 1 Data Centre with no single point of failure and with a fully scalable world-class infrastructure. Data Zoo complies with the Privacy Act in the management of personal information.

Our Corporate Security Program is comprehensive, proactive and designed to ensure that all information is secure whether you choose to do business with us through our website applications, XML web services or bureau.

Data Zoo conforms to the highest industry accepted security practices:

2. Internal Processes

All staff of Data Zoo that have access to the systems or data sign a compliance certificate warning them of the consequences of any authorised use our data and through our systems.

3. External Processes

All companies wanting access to our systems are firstly vetted ensuring they are authorised in using the data provided by Data Zoo as published by The Department of Internal Affairs “DIA”. Listed Reporting Entities.

Data Zoo will insure that all companies sign the appropriate contracts for access to the data. These contracts will highlight the consequences of any misuse by the company and that it’s the responsibility of the company to insure that their internal process enforces the terms and use of the data.

4. Security Measures

The security of the data and our systems is of the utmost importance to Data Zoo and as such we have protected against mis-use through a number of measures. They include:

1. Data is only ever be accessible through the applications provided.

2. All companies wanting access to our systems are firstly vetted ensuring they are authorised in using the data provided by Data Zoo.

3. Before access to the systems is allowed all organisations must sign access agreements and contracts and are, therefore, bound by our Terms & Conditions of use and are fully aware of any civil or criminal penalties that apply for the mis-use of the data.

4. All access to our products and services are logged, providing an auditable record of which users accessed what data and at what time.

5. Physical Security

The data is stored and held on site in a data centre for the duration of the job. The data centre is physically in Christchurch New Zealand with redundancy in Auckland. The hardware is locked in our own rack. 

6. Data Security

We store data in multiple tier 3+ world class data centers to ensure your data is protected.

Currently located in New Zealand, Australia and China.

  • Data in transit uses mandatory TLS 1.0-1.2 transport encryption + authentication
    • Encryption is performed with certificates using ECC (384-bit; secp384 curve), or RSA (4096-bit) if preferred/required.
  • Data at rest uses mandatory encryption
    • Encryption + authentication is performed with AES256-GCM in databases
    • AES256-CBC for general storage, e.g. logs
  • Data is kept for the minimum time possible (for auditing purposes and if legally mandated, data must be kept as required). The only time that data is unencrypted is whilst it is in-memory in the servers themselves, or in cache. Finally, since we use Redis caches, these operate with in-memory data – so if the power turns off, all the data disappears.
  • Transaction information is recorded to ascertain what searches have been performed and the results, and consent for audit and accounting purposes

7. System Security

We offer the capability for users to be authenticated through their use of a self-signed X509 cryptographic certificate, which offers excellent security. The cryptographic keys are at no point exposed to any third party unlike the usual Certificate Authorities (CAs), which issue X509 certificates for the wider Web. This capability offers similar levels of security to a dedicated VPN connection and, as such, offers both a superior product in both user experience and security quality.

This is either in addition to or in replacement of the usual OAuth2 security flow (we run a dedicated identity verification service with an OAuth2 endpoint which is used for our typical authentication flow).

Additionally, instead of a typical username-password authentication, federated authentication is available using Active Directory for organisations, again offering superior user experience and security quality.

8. Service Delivery

The system is deployed on a proven and trusted solution. Data Zoo realises the requirement to meet specific response times, service levels and redundancy capabilities. As such, this configuration best serves our needs by providing nearly infinite scalability and rapid deployment.

We use only the very best encryption methodologies for data in transit (connections I/O) and at rest (in disk for database or general storage).

Only approved customers can access the Data Zoo services.

9. Cross Border Data Transfer

Data Zoo’s value proposition is that we would establish a data centre in the country where we are sourcing the data. This ensures that data does not leave the country of origin but remains housed there.

We would then be providing local employment opportunities – to manage and assist with our IT solutions.

10. Data Transfer

In the verification process only a Yes/No verification is returned

We have dedicated servers in China, New Zealand and Australia (Singapore in the process of being established) and, therefore, where required transactional information submitted will only return a yes/no response.

No additional information is returned in a transaction enquiry unless it’s for a permissible use. This ensures no government data leaves the country of origin. This ensures concerns regarding privacy and cross-border data transfer issues are managed.

We are currently in the process of establishing an IT environment in Singapore.

11. System Compliance  

Our products have passed third-party PCI DSS compliance tests.  We are currently undertaking an ISO 2700 certification audit.