Security Statement

1. General

Nuonic Pty Ltd (Nuonic) uses a range of best practice security measures in the design and management of our infrastructure including encryption of all data at rest using AES-256 standards, SSL on all communications, all assets hosted in private subnets and customised security configurations for all infrastructure assets. We also use live monitoring and intrusion detection tools and have a dedicated IT operations & security team providing ongoing support and advice.

2. Data Storage

Orderview stores customer data and hosts its solution infrastructure in Australian data centres managed by Amazon Web Services (AWS). AWS is ISO 27001 certified and has Service Organization Control (SOC) 1, SOC 2 and SOC 3 Security, Availability, and Confidentiality Reports available.

3. Data Encryption

All customer data is encrypted at rest and in motion using AES-256 block cipher encryption for data and keys, implemented using AWS storage technologies and HTTPS. Specifically, AWS’ Key Management Service (KMS) is used to generate and hold keys used to encrypt stored data. Keys are rotated at least every 12 months.

All software holding client or company data must utilise the HTTPS protocol for data transmission. Where practical, encryption before transit may also be applied.

4. Penetration Testing

Nuonic engages third party assessors to perform external vulnerability scanning / penetration testing of our web applications, APIs and associated infrastructure. External security companies with the requisite security credentials and experience are engaged to perform the testing, at a minimum annually. Resulting recommendations are prioritised and implemented as appropriate.

5. Infrastructure Security

All Nuonic applications infrastructure is implemented using best practice DevOps and automation techniques. Infrastructure provision is automated wherever possible and all changes to infrastructure are conducted through a "infrastructure as code" change, pull request and peer review process.

The Prism production environment in AWS is segregated from non-production environments. Administrative access to Nuonic AWS environments is IP whitelisted to restrict access from Nuonic office networks only, requires strong passwords and multi-factor authentication.

Prism utilises native AWS security solutions in the production and pre-production environments, including AWS Trusted Advisor, AWS Guard Duty and AWS Shield. To prevent malware running, servers are configuration controlled and do not include any MS Office components. In addition, the application design restricts write permissions to local disk, and all file storage is in a non-active off-server storage location (AWS S3).

6. Patching

Prism does not employ any long-lived servers. Servers are launched in AWS for short-term processing tasks then terminated. Each launch pulls the latest updates from the Debian package manager system. Everything else is either serverless, static or a managed service. Managed services (such as AWS RDS) have automatic upgrades enabled.

7. Physical Security

Physical access to Nuonic AWS environments is governed by AWS according to their policies which are ISO 27001 compliant. Physical access is not available to Nuonic staff or customers.

8. Contact

For more information about Nuonic’s IT Security practices please contact us at info@nuonic.com.au or +61 (2) 8599 3253.