LawFest-logo-horizontal-transparent-back
PROUD SPONSORS OF LAWFEST 2019

#lawfest2019 | lawfest.nz

  • LinkedIn - White Circle

How we Protect You and Your Data

At APLY, data and security is important to us. We take the privacy and security of customer information very seriously so we make every effort to ensure our security protocols and systems are up to date with industry standards.


Security and privacy are the core of our application infrastructure. Due to the technical nature of the software, it can be difficult to understand what that involves if you're not yourself a developer or an IT Professional so here is a bit more information that explains the measures our team take to protect your information.


How we protect you and your customer data


For us, this meant developing an application that was "private by design", with the latest technology stack at the front end (Angular) and a robust and industry proven technology for our API (Ruby on Rails). APLY is hosted in a secure environment that gives our developers full control over version deployment. For this reason, we chose to use Heroku as our development platform provider.


Technically it offers us flexibility in our development process and paired with Amazon Web Services (AWS) for our hosting it offers the most secure application environment.


AWS deploys the following tools as security measures:

  • Network firewalls to prevent access outside of the application internal network

  • Encryption across all services using TLS when data is transferred between services

  • Data encryption using AES-256 to make application's files and database "un-readable" directly on disk

  • Identity and access management for restricting unwanted access to our resources

These are only a few of the security measures installed by AWS. However, we hope you’ve found this useful.  If you are interested to learn more about the full range of features

in more detail, they are available here (AWS) and here (Heroku).


At APLY, when we say "private by design" we mean that when the customer has been verified and the agency has downloaded their report, we clean EVERY piece of personal information, including images and videos, related to the person you've verified, 5 minutes after you download the report. We only retain the internal reference number, partners products’ IDs and internal APLY ID for billing purposes and auditing. This process ensures that only a very limited amount of nominal data remains in our database at any time.


If for any reason, you haven’t downloaded the customer report or your customer hasn’t completed the process, the maximum life-span of the customer’s verification information is 7 days. Once this time has lapsed, any customer data is automatically cleaned, images and videos deleted, and the verification is archived as described earlier.


In addition to these measures we have also employed a range of internal mechanisms to reinforce our security: APLY forces all access to be HTTPS and to use JSON web tokens for authenticating every request coming to our API. This allows us to be immune from session hijacking since we do not use cookies and sessions at all. After you’ve submitted your login and password, APLY will generate a signed token that can't be modified, that is only valid for that user and for a limited period of time.


Every time you submit or request data, APLY verifies; that this data is visible within your company based on the token generated and the user’s role (that someone isn't trying to access data they aren't allowed to read). Any malicious requests would not only be denied access, but it would also raise an alert on our side to be investigated immediately.


Our verification assets (videos and images), are also stored on AWS using 3 different randomly generated keys based on different algorithms, making it impossible for anyone outside the application to know these assets' URL.


We believe in privacy by design, from the ground up we have developed APLY to be a secure place for your customer’s information. If you have any further questions on our infrastructure then please do not hesitate to contact our privacy officer privacy@aply.co.nz


Glossary

Encryption: Data concealed by converting it into a code

Angular: a structural framework developed by Google for creating dynamic web apps

Ruby on Rails: Our server side framework to create APLY's API

HTTPS: Hyper Text Transfer Protocol Secure, this is a secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. It means all communications between your browser and the website are encrypted.

JWT: JSON Web Token, is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

JSON: JavaScript Object Notation

Heroku: a cloud-based development platform

SSL: Secure Sockets Layer, is the standard security technology for establishing an encrypted link between a web server and a browser.

AWS: Amazon Web Services is a secure cloud services platform

AES: Advanced Encryption Standard

TLS: Transport Layer Security is a cryptographic protocol designed to provide communications security over a computer network

128 views