Security Overview

OVERVIEW

Immediation is a secure, resilient and scalable web application platform, designed to provide access to justice. Due to the highly integrated nature of the platform, Immediation is able to quickly respond to the needs of customers and continues to add new capabilities and custom modules in fortnightly release cycles.

Browser-based, Immediation runs best on Chromium browsers (Google Chrome and the latest Microsoft Edge), whilst also supporting Safari and Firefox. The platform has been designed with mobile responsive features to enable access from any iOS or Android mobile/tablet device. Features to support customers with limited or no internet access (e.g. audio only, dial-in) have been added to ensure improved access to justice from remote areas.

Security is at the heart of Immediation design, given the potentially sensitive nature of some matters. In late 2020, the platform was rearchitected and migrated to Microsoft Azure, providing significant enhancements to security, monitoring, performance, availability and resilience. Automated vulnerability management tools run continuously over the Immediation code repository. The Security Summary provides context on Immediation controls.

Immediation contracts cybersecurity consultants to provide expert penetration testing, detailed code review and external auditing on a regular basis.

CONFIDENTIALITY

Immediation ensures the confidentiality of all information and conversations on the platform using tiered controls.

All information encrypted at rest and in transit. All storage (incl. backups) are secure and do not allow public access. NB: Administrators cannot read any information from storage. Secure connections to Immediations are enforced through the Azure Front Door service.

Access to information is controlled through our enterprise-grade, identity management, paired with granular, Role Based Access Controls (RBAC). All staff are mandated to enable multifactor authentication (MFA) for all services and customers have the option in their security settings.

INTEGRITY

Immediation has implemented deletion controls, snapshots, data backup and restoral services to ensure that data corruption is avoided or, in certain conditions, able to be recovered in the event of client error.

Role Based Access Controls (RBAC) are in place to ensure that information is Created, Read, Updated and Deleted (CRUD), only by individuals with appropriate authorisation.

All integrations are secured through the provisioning of secure Application Programming Interfaces (API). Keys are stored securely and not written into code. These keys are rotated on a regular basis to avoid potential compromise.

AVAILABILITY

Immediation has implemented global load balancing to direct customer traffic through the private Microsoft Azure network. This ensures low latency access. Immediation monitors the health of backend services, across paired regions and redirects traffic to healthy services.

Services, such as database and storage, geographically redundant, ensuring that an outage, within one region is survivable and systems remain online or can fail over within the published Restoral Time Objective (RTO). Deletion protection and point in time restoral have also been enabled to ensure all data remains available to customers.

Horizontal auto-scaling has been enabled to ensure that the demands of large-scale events can be manged without rearchitecting.

DATA RESIDENCY & PRIVACY

Immediation is a highly integrated platform that utilises “best of breed” international services. Agreements have been put in place where possible to ensure that stored data (i.e. “at rest”) resides within Australia, where Immediation is headquartered. Below is a table stating Immediation data residency and sub-processors. Before engaging a vendor we perform due diligence, including a security assessment. The full sub-processors list is located here.

AUTOMATION & DEVOPS

Immediation runs an automated development pipeline using Kubernetes. This method allows the platform to orchestrate multiple container builds in a staged fashion increasing availability. The migration to Microsoft Azure and Azure Kubernetes Service (AKS) allows Immediation to expand into new global regions as part of our multi-tenant environment or as segregated instances to meet specific customer, compliance requirements. Kubernetes Horizontal Pod Autoscaler (HPA), backed up by AKS node scaling, also allows the platform to scale out and in as required. As an example, the platform livestreaming feature, runs and scales in a completely automated manner.

Our development pipeline has been automated to allow for faster delivery and testing. The Git repository is accessed and managed with mandated MFA and RBAC. It is replicated to a segregated Git repository as a mirror backup. Immediation’s development pipeline allows developers to commit code and trigger automated development environment builds, without waiting for engineers to perform the action.

NB: All production builds require QA Team review, Change Advisory Board (CAB) approval, Security Testing and are triggered manually.

Cypress based, robotic testing tools have been developed and continue to be expanded and improved. This allows Immediation to automatically test the vast number of capabilities and workflows in a more timely and less resource intensive manner. All test results are logged, complete with screenshots to enable developers to address any potential bugs.

Terraform, providing infrastructure as code, is currently under development, to completely automate our Azure infrastructure deployments.

MONITORING & ALERTING

Immediation has implemented logging for diagnostics and anomaly detection utilising native Microsoft Azure tools. All services are enabled for diagnostics which feed into log files. These files are added to Azure Workspaces for later evaluations and consumption. They are also stored on a 30 day rotation for event or incident evaluation.

Sentinel consumes the Azure Workspace data (e.g. Front Door Service access and Web Application Firewall logs) and performs machine learning evaluation on the data to provide insights into traffic. Alerts are configured against these insights to ensure security and engineering staff are immediately aware of issues.

Application Insights directly interrogates services (e.g. AKS) and will trigger diagnostic alerts (e.g. CPU usage) regarding environmental resource constraints.

AZURE ARCHITECTURE

Fig. 1 Architected in Azure for resilience across paired regions.

CERTIFIED SECURE

Immediation

Immediation Platform – ISO 27001 [Certified]

Xano (Metrix Apps) - ISO 27001, ISO 9001 [Certified]

Note: Immediation Platform uses Xano as a key building block.

Core Service Integrations

Twilio – ISO 27001 [Certified]

Docusign - ISO 27001, SOC1, SOC2, PCI DSS [Certified]

Stripe - PCI DSS [Certified]

Auth0 - ISO 27001, ISO 27018 [Certified]

Rev.AI - SOC2 Type II

Microsoft Azure

ISO 27001, ISO 9001, NIST 800-171, NIST CSF, SOC1, SOC2, PCI DSS, IRAP (Australia) [Certified]

An exhaustive certification list can be found here https://azure.microsoft.com/en-au/overview/trusted-cloud/compliance/

QUESTIONS

Questions regarding this document can be directed to security@immediation.com.