Orica is commited to ensuring the security and privacy of our customer's data stored in the BlastIQ system. This is an overview of our approach to security and privacy, however we would be happy to provide additional information on request.
BlastIQ undergoes independent 3rd party security testing at least annually (and additionally on demand as required) in line with company procedures. Testing includes penetration testing (unauthorised access) and internal data segregation security (testing for authorised access beyond privileges).
Critical and High severity vulnerabilities are remediated with the highest level of urgency by the BlastIQ engineering team. Security Audit Reports are not provided to customers for security reasons.
Security Breach Notification
As required by law, Orica will notify customers and users in a timely manner of a Notifiable Data Breach. In addition Orica will notify customers in a timely manner if any of their data in BlastIQ is the subject of a Data Breach.
Data Storage Location
Data stored in BlastIQ is located in Azure and AWS data centres in Singapore. Encrypted backups my be stored in Hong Kong for geo-redundancy. For data security information relating to infrastructure platforms please refer to https://aws.amazon.com/security/ and https://azure.microsoft.com/en-au/overview/security/
Automatic backups are taken on a minimum of a daily basis for all datastores, critical transactional systems have much shorter backup windows. Encrypted backups are stored in Azure Hong Kong for geo-redundancy or within a different AWS availability zone in Singapore.
BlastIQ Systems are hosted as distributed cloud services with zero-downtime upgrades for most deployments. Historical availability and planned Maintenance or Incidents impacting availability of the BlastIQ system components are published at https://status.blastiq.com and customers can subscribe to receive notifications of planned maintenance outages and incidents affecting availability.
BlastIQ is offered as a multi-tenanted Software as a Service offering. Customers are not consulted for approval of changes, however Public APIs are versioned for breaking changes and customers have time of concurrent versions operating to facilitate upgrades.
Public notifications of application updates can be subscribed to via https://status.blastiq.com with release notes published for end user applications on the BlastIQ Support Centre https://support.blastiq.com/release-notes
The BlastIQ system changes are all tested in Development and Test environments prior to release, these environments contain mock data for security reasons (A Customer’s data will not be removed from the Production Environment).
All code changes are peer reviewed, then tested in development and test environments using automated test suites and manual testing prior to release to the production environment.
Secure Application Development
The BlastIQ Engineering team practices secure application development in accordance with a documented Secure Application Development standard.
All code changes are peer reviewed and merged using source control systems with audit records and history of changes.
All application builds and deployments to cloud infrastructure or release for download are performed using automated continuous integration systems to ensure reliability, repeatability and security.
Please refer to your BlastIQ Commercial Agreeement for Data Ownership contract terms.
Data stored in the BlastIQ System can be extracted by the customer using the BlastIQ Public API, documented here: https://support.blastiq.com/hc/en-us/articles/360015817533
Users with access to a customer's data are categorised into Read, Write and Admin roles and are visible within the BlastIQ Administration portal at blastiq.com/admin
A limited number of BlastIQ team members have access to customer data for support and maintenance purposes. These team members operate within strict guidelines to ensure customer data is managed securely and privately at all times.
All BlastIQ data is encrypted in transit using Transport Layer Security (TLS). Data stored in the BlastIQ Data Lake is encrypted at rest, some data stores in the BlastIQ cloud are not encrypted at rest but are located within secure facilites managed by Microsoft (see Data Storage Location above for links to Microsoft's physical security information)
Single Sign On
Single Sign On to BlastIQ is used for all Orica employees (including mandatory multi-factor authentication).
Single Sign On is available to customers with an Azure Active Directory for their domain (e.g. @customer.com), please raise a support request if you would like to set this up for your domain users.
Logging and Auditing
All activities on BlastIQ, particularly those relating to security are logged. BlastIQ is a multi-tenanted application and these logs are not available to customers at this time.
BlastIQ relies on connectivity from the customer's devices to a number of internet domains to provide the services, they are detailed here: https://support.blastiq.com/hc/en-us/articles/360013898633
Minimum System Specifications
The minimum system requirements to run BlastIQ are documented here: https://support.blastiq.com/hc/en-us/articles/360035362513