Better protection for
total peace of mind

FYI has been designed using the AWS ‘Well-Architected Framework’, ensuring that the solution is secure, high-performing, resilient, and makes the most efficient use of the AWS infrastructure. Through this partnership and regular technical review with AWS, FYI can guarantee high availability, data redundancy, and government-grade security. As part of the regular software development life-cycle, FYI is routinely load tested to prove it can scale to host the billions of documents required. FYI also undergoes regular penetration testing to identify and eliminate any potential security weaknesses.

Leveraging trusted Windows Authentication
Rather than creating an authentication layer requiring yet another username and password, FYI leverages Microsoft Windows user authentication, which is trusted globally for its high standard of security and reliability. To log into FYI, a user only needs to use their Microsoft 365 username and password.

Multi-Factor Authentication
FYI supports multi-factor authentication (MFA) when implemented as part of Microsoft 365. The decision to apply MFA to FYI depends on the administration of Microsoft 365 in your practice.

24/7 Protection
FYI works with AWS to have the most up-to-date monitoring and defenses against suspicious behaviour, unauthorised attempts to access FYI, potential ‘denial of service attacks, and the like.

Service Recovery
In the event of an unscheduled outage, business continuity and disaster recovery procedures are initiated to maintain continuous business operations and system performance.

Your data is dynamically backed up by Amazon (AWS) as part of their core service. Amazon provides inbuilt offsite backups, disaster recovery and multiple sites synchronisation. We also provide the ability for practices to back-up their data locally.  Back-ups are retained for 30 days.

ISO27001:2019 Certified
FYI is ISO 27001:2019 certified, an international standard for information security management.

ATO Digital Services Provider
As a Digital Service Provider to the ATO, FYI meets all requirements for authentication, encryption, certification, data hosting, personnel security and security monitoring practices.

GDPR Compliant
We are committed to protecting the personal data and privacy of FYI users in EU and EEA countries by ensuring GDPR (General Data Protection Regulation) compliance.

Privacy
FYI complies with privacy laws in Australia, New Zealand and the UK. We are committed to preventing unauthorised access to or disclosure of customer information. To read our privacy policy, click here.

Encryption in Transit and at Rest
FYI uses the latest in Transport Layer Security encryption on all requests sent between client and server (TLS v1.3, with v1.2 available if needed). Comprehensive system controls have been implemented to prevent cross-site scripting and SQL injection attacks. This ensures your information is safe while in use by the FYI client applications or sitting idle on our servers.

Unique Encryption Keys
FYI uses unique encryption keys for each subscription, ensuring that each practice has its own layer of protection from unauthorised access. All data stored in FYI is encrypted with AES-256 specific keys applied to every subscription. This is an industry-leading approach to data security that is unique to FYI.

Penetration Testing
FYI engages external consultants to perform annual security assessments including penetration tests.

Administrative Data Access
Access to production databases is strictly controlled and limited to users with a need to access production data for customer support or problem resolution. On request, FYI will securely delete a customer’s data.

User Permissions
In-app user permissions allow you to control what data a user can access and what company-wide actions and settings can be controlled.

Data Ownership
Your practice retains complete ownership rights of the content you upload to FYI. If you wish to cease using FYI and end your subscription, you can export your documents to a Windows Explorer directory structure.

Data Processing Agreements
‍FYI has created a GDPR-ready Data Processing Agreement should you require EU-compliant contractual protections. The FYI Data Processing Addendum (“DPA”) describes the data protection obligations between the Customer for the Service delivered by FYI (“Data Processor”). Data Processing Agreements are available for our customers should they be required.

Your data is being replicated to multiple data centres and backed up in case of disaster.

Service Recovery
In the case of a Disaster Recovery event, the maximum period of modified data that could be lost is 5 minutes. The maximum time expected to restore data and service is 30 minutes. FYI’s Disaster Recovery is tested on a quarterly basis.

Incident Management
Our incident management process ensures we rapidly respond to security events that may affect the integrity or availability of the FYI platform and the data stored within it. Events that affect customers are given the highest priority.

All FYI data is stored in Amazon’s AWS data centres in Sydney and London, including their disaster recovery sites. AWS is ISO27001 compliant and provides inbuilt, offsite backups, multiple sites synchronisation and disaster recovery.

Each practice’s documents are stored in its own discreet store within AWS. The documents for every practice are encrypted using a unique set of public/private keys to ensure no other practices can access unauthorised information.

FYI is proud to be ISO 27001 compliant. This internationally recognized standard ensures that our information security management system (ISMS) meets rigorous requirements for data protection, risk management, and continuous improvement.

In partnership with CS1 Group, FYI has implemented the Essential Eight mitigation strategies as a baseline to protect against cyber threats. The Essential Eight is a set of strategies designed to help organizations strengthen their cybersecurity posture and mitigate common security risks.

By using the Essential Eight as a foundational element of our security policies, we ensure that our practices are aligned with industry best practices and provide robust protection against potential threats.