The SaaS platform
you can trust
38% of data breaches in Australia are caused by cyber security incidents.
Our global SaaS ERP solution delivers the highest security and privacy measures, to keep your data safe.
As the prevalence of sophisticated cyber attacks grows, knowing that your data security is taken care of by a trusted partner means you can focus your time and resources on what really matters.
To maintain the highest level of certifications and accreditations, we integrate and maintain the latest in innovative security and privacy technologies. As a TechnologyOne SaaS customer, you are protected by our multi-tiered security measures and accredited procedures.
For executives and board members responsible for managing corporate risk, the reputational, operational and financial implications of cyber attacks have many questioning the security of their systems and data.
To manage this risk, you need a secure and adaptable platform you can trust to power your business and keep your data safe. One that offers the highest levels of security — proactively predicting, preventing and responding to cyber risks that threaten your business continuity.
When we make enhancements, every customer benefits – taking the complexity out of safeguarding your data.
Security and trust
ISO/IEC 27001
A specification for an information security management system (ISMS)
An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. TechnologyOne acquired this in 2011 to create a global policy framework that enabled us to include security as part of the design process. It demonstrates that we are following international best practice to mitigate threats.
ISO/IEC 27001 requires that management:
Systematically examine the organisation's information security risks, taking account of the threats, vulnerabilities, and impacts;
Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
Adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis.
ISO/IEC 27017
A cloud computing code of practice for information security
This code of practice provides recommendations to assist with the implementation of cloud-specific information security controls. TechnologyOne acquired this in 2016 to align our processes and controls with cloud specific providers. It confirms for customers that we have adopted international best practice surrounding cloud specific threats and risks.
Download CertificateISO/IEC 27018
A code of practice for protection of personal information in the cloud
TechnologyOne acquired this in 2016 to demonstrate to customers that we protect their personal identifiable information. Our alignment with this internationally recognised code of practice demonstrates our commitment to the privacy and protection of customer information. It demonstrates to our customers that we have a system of controls in place that specifically address the privacy protection of their content.
Download CertificateISAE 3402 SOC 1
Adequate internal controls are in place from a financial perspective
ISAE 3402 SOC 1 is an assurance standard, designed to demonstrate that adequate internal controls are in place from a financial perspective. It supersedes SAS70.
TechnologyOne acquired this standard in 2015 as one that auditors of customers could rely upon, and that allowed us to streamline our operations. This report assists the financial auditors of our customers to determine the robustness of their financial data stored in the TechnologyOne SaaS solution. Existing SaaS Customers of TechnologyOne are entitled to request the ISAE 3402 SOC 1 audit report, to provide to their auditors.
The ISAE3402 SOC 1 report is produced every 6 months and customers can request bridging letters from TechnologyOne to assist with aligning to specific audit periods.
The SOC 1 report and the bridging letter can be requested by any current contracting customer by raising a SOC 1 report request case in the Customer Community.
If you are the registered auditor for a current TechnologyOne customer, please speak with them directly to obtain a copy.
SSAE 18 SOC 1
Adequate internal controls are in place from a financial perspective
SSAE 18 SOC 1 is an assurance standard, designed to demonstrate that adequate internal controls are in place from a financial perspective.
TechnologyOne acquired this standard in 2018 as one that auditors of customers could rely on, and that allowed us to streamline our operations. This report assists the financial auditors of our customers to determine the robustness of their financial data stored in the TechnologyOne SaaS solution. Existing SaaS Customers of TechnologyOne are entitled to request the SSAE 18 SOC 1 audit report, to provide to their auditors.
This report can be requested by raising a SOC 1 report request case in the Customer Community.
If you are the registered auditor for a current TechnologyOne customer, please speak with them directly to obtain a copy.
If you are a prospective customer and would like to receive a copy, please reach out to your Customer Account Manager
AT-C 205 SOC 2
Adequate internal IT controls exist
TechnologyOne acquired this standard in 2015 to satisfy customer need for information and evidence on auto-scaling, security practices and the operational process for the TechnologyOne SaaS solution.
This standard demonstrates to customers that security practices are in place to: promote security and prevent unauthorised access, ensure system availability, enable processing integrity, protect confidentiality and protect privacy.
Existing SaaS customers of TechnologyOne are entitled to request the AT-C 205 SOC 2 audit reports, to provide to their auditors.
In 2019, the TechnologyOne SaaS Platform completed compliance against the Health Insurance Portability and Accountability Act (HIPAA), a US standard that provides the highest globally recognised best practice for data privacy and security of medical information. Whilst this is a US standard, it demonstrates our commitment to the security and privacy of customer data, particularly in the health sector.
HIPAA compliance has been added as an extension to our SOC 2 report which is currently available for our SaaS Platform customers.
The AT-C 205 SOC 2+ HIPAA report is produced annually and customers can request bridging letters from TechnologyOne to assist with aligning to specific audit periods.
The SOC 2 report and the bridging letter can be requested by any current contracting customer by raising a SOC 2 report request case in the Customer Community.
If you are the registered auditor for a current TechnologyOne customer, please speak with them directly to obtain a copy.
SOC 3
Adequate internal IT controls exist
SOC 3 is an assurance standard, designed to ensure that adequate internal IT controls exist. It relates to: security, availability, privacy, confidentiality and processing integrity.
TechnologyOne acquired this standard in 2018. The Service Organisation Control 3 (SOC 3) report outlines information related to TechnologyOne's internal controls for security, availability, privacy, confidentiality and processing integrity.
The TechnologyOne SOC 3 report can be requested by any current contracting customer by raising a SOC 3 report request case in the Customer Community.
If you are the registered auditor for a current TechnologyOne customer please speak with them directly to obtain a copy.
If you are a prospective customer, please reach out to your Customer Account Manager to obtain a copy.
Helping Australian government agencies securely harness SaaS
As a global SaaS ERP provider to Federal Government, TechnologyOne has successfully completed the Information Security Registered Assessors Program (IRAP) assessment for up to and including PROTECTED classified data, providing our SaaS customers with greater certainty in a constantly evolving cyber security landscape.
IRAP assessments are carried out by qualified professional assessors to provide a comprehensive and clear assessment of a system’s security controls and compliance with Australian Government requirements to store data classified at various levels.
Maintaining the highest standards under the IRAP process requires regular reaccreditation. Committing to this process is a testament to our mature security practices, accountability mechanisms and belief in continuous improvement.
GDPR
The EU’s General Data Protection Regulation (GDPR)
The GDPR is a comprehensive data protection law which regulates the use of EU residents’ personal data and provides individuals with rights to exercise control over their data. The GDPR is an EU regulation where post-Brexit, it no longer applied to the UK. The UK government incorporated the requirements of GDPR into UK law as the “UK GDPR”.
TechnologyOne is committed to complying with the GDPR and all applicable privacy and data protection laws and regulations in its operations and delivery of services to its customers. We are also committed to supporting and assisting our customers to meet their GDPR and privacy obligations.
Shared Responsibilities for GDPR
The two main parties identified within the GDPR regulations are:
Data Controllers
A controller is an entity that determines the purposes, conditions, and means of the processing of personal data.Data Processor
The processor is an entity which processes personal data on behalf of the controller.
Both parties have responsibilities in maintaining the security and privacy of Personally Identifiable Information (PII).
TechnologyOne as Data Processor
In delivering our SaaS service to our customers, TechnologyOne has a built a class leading security and compliance program that is designed to provide customers with a high level of surety that their Security and Privacy needs are in good hands.
TechnologyOne audit reports and other materials are available for customers to request and use to meet their own compliance obligations. This compliance program is continually updated as additional guidelines or amendments to existing standards are released. Some of the key areas as they relate to GDPR are described below.
Security
TechnologyOne has developed a security framework that passes the highest levels of external verification, testing and scrutiny. There is a continual program of testing and audit by external third parties to verify the security of the system along with the integrity of the people and processes that manage that system.Privacy
TechnologyOne has a robust Privacy and Security incident handling plan for the handling of issues related to Security or Privacy breaches and concerns. This handles all required notifications and communication with required regulatory bodies and has the customer (Data Controller) at the centre of process to ensure the fastest, most rigorous and least disruptive handling of reported incidents.Continuous Improvement
The legislative landscape is shifting substantially with regard to privacy and is being updated regularly with country specific requirements. The TechnologyOne Compliance Program ensures that all changes and new requirements are incorporated in a timely manner. This is underpinned by a continual program or Privacy Impact Assessments (PIA) across all aspects of the Data Processor offering to our customers.
Customer as Data Controller
As well as leveraging the compliance capabilities TechnologyOne has as a Data Processor, Customers, (as Data Controllers) are able to utilise a range of capabilities and functions to meet their Data Controller obligations’:
Authentication and Access rights
TechnologyOne offers a suite of capabilities to help customers comply with the management of access rights under the GDPR. Data Controllers are able to manage and control their users’ access to the application and the data they are able to access once logged in. A key component of this is the implementation of role-based access along with the Data Controller determining and configuring their preferred authentication platform.Data Subject rights TechnologyOne offers a number of mechanisms by which the Data Controller can meet their GDPR obligations as it relates to data subject, such as ‘access, ‘rectification’, ‘erasure’, ‘portability’ etc.
TechnologyOne has implemented a compliance program with assistance from external advisers to meet the "processor" obligations as described under the GDPR.
TechnologyOne has provided a GDPR Product Assistance paper that aims to assist our customers to comply with their obligations. This paper is available to customers on request by emailing privacy@technologyonecorp.com.
We note that there are currently no approved certification bodies that would provide external assurance that we comply with GDPR, as per the ICO's website. However, TechnologyOne will continue to monitor this.
Australian Cyber Security Centre (ACSC) Essential 8
Australian Cyber Security Centre (ACSC) Essential 8
The ACSC has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight.
In 2019, the TechnologyOne SaaS Platform undertook an independent ACSC Essential Eight Maturity Assessment of the TechnologyOne SaaS Platform Services.
The ACSC Essential Eight Maturity Assessment letter for the TechnologyOne SaaS Platform Services is available to current SaaS Platform customers. It can be requested by raising an Essential 8 report request case in the Customer Community.
Cyber Essentials (UK)
Help organisations against common cyber-attacks
Cyber Essentials is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organisations demonstrate operational security against common cyber-attacks.
By achieving certification, TechnologyOne has demonstrated it has implemented the necessary technical controls to mitigate the risk from common Internet-based threats, within the context of the UK Government's "10 Steps to Cyber Security".
Due to the regional nature of the certification, the certification scope is limited to the TechnologyOne SaaS service operating within the UK.
TechnologyOne Cyber Essentials certificateTechnologyOne Cyber Essentials Plus certificate
National Cyber Security Centre (NCSC) Cloud Security Principles (UK)
National Cyber Security Centre (NCSC) Cloud Security Principles (UK)
The UK National Cyber Security Centre (NCSC) published 14 cloud security principles in 2016. These principles are designed to give guidance to cloud service providers in order to protect their customers.
In 2020, the TechnologyOne SaaS Platform published an alignment document of the NCSC Cloud Security Principles for the TechnologyOne SaaS Platform Services.
The NCSC Cloud Security Principles document is available to current UK SaaS Platform customers by raising a NCSC report request case in the Customer Community.
PCI Compliance
Payment Card Industry (PCI-DSS)
A specification for an information security management system (ISMS)
In 2021, TechnologyOne completed an independent assessment by a qualified PCI-QSA to obtain an ‘Attestation of Compliance” (AOC) for the TechnologyOne Online PayNow function. This AOC will support TechnologyOne SaaS customers with their PCI compliance program when using the TechnologyOne Online PayNow function.
The TechnologyOne PCI AOC is available to current and prospective SaaS Platform customers. To request a copy you can either submit a request in the Customer Community or speak with your Customer Account Manager.
Learn more about our security, reliability, privacy, and compliance
Your user experience is our priority, that’s why we adopt world-leading standards across our software. To protect against security threats, data breaches, and to prevent unauthorised access to customer data, TechnologyOne maintains a formal and comprehensive security program.
Our SaaS solution is unique in its approach to data management. We deliver a multi-tenanted SaaS application and isolate each customer’s database and data into a separate and completely private storage zone. This isolation provides far superior security to shared storage and shared databases that combine data from many customers into a single place.
Multi-tenanted software provides economies of scale, enabling you to share one vision of software globally, gain immediate access to the latest enhancements and security updates, without having to compromise on data security. These controls are in addition to the rich, logical security model in the application itself, which is personalised for each customer during implementation, and updated by our customers as their business changes over time.
Users access TechnologyOne SaaS via the internet, protected by Transport Layer Security (TLS) 1.2 and above. This secures network traffic from passive eavesdropping, active tampering and the forgery of network messages.
TechnologyOne has implemented proactive security measures such as perimeter defence and network intrusion detection and prevention systems, together with anomaly detections algorithms that alert team members. We also utilise a number of confidential countermeasures designed to protect our customers and protect our service in general.
Vulnerability assessments and penetration testing of the TechnologyOne SaaS solution are evaluated and conducted on a regular basis by both TechnologyOne team members and trusted external third-party vendors. These vulnerability assessments are in addition to the secure coding practices, static code analysis, and security reviews undertaken with our enterprise software.
TechnologyOne SaaS architecture is active/active by design, which means that all data is synchronously stored in multiple locations, across multiple data centres, automatically. This approach challenges most existing procedures that revolve around backups, tape archives and expensive customer-adopted processes.
A full backup is taken weekly and stored in multiple locations across four physically isolated data centres. Database backups and transaction logs are implemented so that a database may be recovered with the loss of as few committed transactions as is commercially practicable. To ensure that we can offer the lowest recovery point objective (RPO) in the industry, we perform snapshots every 15 minutes to minimise the potential for data loss in the event of failure. Backups of the database and transaction logs are encrypted for any database which contains customer data.
Security Assertion Markup Language (SAML) is supported by the TechnologyOne SaaS solution and enables an enterprise single sign-on (SSO) environment. SAML provides a seamless, single sign-on experience between the customer’s internet connection and TechnologyOne SaaS, which incorporates the existing identity framework already in use.
TechnologyOne software enforces role-based security for authorisation. Role-based security allows customers to grant or restrict user access to functionality, business processes, reports and data.
System-to-system integration is via public web service invocations or Reports as a Service (RaaS). All of these systems innovations are controlled by TechnologyOne software-based authorisations and security.
Customers that have any urgent security or privacy concerns in relation to the TechnologyOne SaaS platform can report this to TechnologyOne using any one of the channels below:
- Log a support case and identify it as a security/privacy issue and request a P1 rating
- Email privacy@technologyonecorp.com or security@technology1.com to notify TechnologyOne of a privacy or security breach, data breach or to request data breach support/investigations
TechnologyOne recognises the importance of the performance of online technology and how personal information is collected, stored, used, and disclosed. TechnologyOne is bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) set out in the Privacy Act as well as the Notifiable Data Breaches scheme (NDB) and understands the importance people place on their personal information. At TechnologyOne, we are committed to ensuring that all information collected by us is treated with the appropriate degree of privacy and confidentiality. For full details, refer to our Privacy Policy.