Privacy, security + compliance Award Force uses best practice security measures to protect you, your company, your judges + entrants, and their personal data You’re concerned about security. So are we. We are confident that we have one of the most secure online application + evaluation solutions worldwide. If not the most secure. NEW Visit our trust centre for a complete overview of our security controls, policies and certifications. Trust centre In this section Security Privacy Compliance Reliability Certifications + documentation Frequently asked questions ← Back to all features Security The Award Force application and hosting stack have been architected with security practices and features built in so you’ll never have to worry about the security of data stored in Award Force. Server security Our multi-server architecture is secured in a Virtual Private Cloud (VPC). There is no access via FTP. Server access is only possible by authorised staff via SSH key-based authentication through VPN access to our VPC. Access to our AWS infrastructure is only available to authorised Award Force staff and is governed by Identity and Access Management (IAM) and multi-factor authentication (MFA). Physical security All our application stack physical infrastructure and data storage is within Amazon Web Services (AWS) data centres in a choice of residency locations. AWS data centre and network architecture are built to comply with stringent global standards such as SOC 1, SOC 2, SOC 3, and Cloud Security Alliance Controls. These standards meet the requirements of the most security-sensitive organisations. AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems and other electronic means. Data encryption In keeping with best-practice security, all data at rest (in our databases and media stores) is stored encrypted. All data in transit (including login credentials and credit card details for paid entry awards) is protected using TLS 1.3 (https) by default, with (AES)-256 bit encryption and SHA-256 signed certificates. Encrypted personal data Personal data, sometimes referred to as Personally Identifiable Information (PII), is information that can be used to uniquely identify, contact or locate a single individual. Keeping PII secure is dictated by various regulations and privacy laws internationally. Additional layers of encryption can be applied for elevated security on sensitive data fields. Learn more about how we safeguard PII Role and permission-based access control Award Force has an extensible system for defining user roles and associated system use permissions so that users can only access functionality they’re permitted to, whether they be entrants, judges, coordinators or managers. Optional multi-factor authentication Individual users can choose to increase protection of their account against unauthorised access by enabling multi-factor authentication (MFA). MFA can also be required for specific roles with elevated access levels. The primary authentication method after password is a Time-based One-Time Password (TOTP). Backup recovery methods include recovery codes and SMS. Passwords User account access is password protected. Passwords are stored with one-way bcrypt hashing. As a result, the original password can never be read, seen or recovered by anyone, even those with direct access to the system database. A minimum password length of 12 characters is enforced. Credit card data Award Force integrates directly with 3rd-party payment gateways for credit card payment handling on paid entries. User credit card details are never stored in Award Force databases. They are passed directly to the payment gateway. Our PCI-DSS attestation certificate is listed in the certifications and documentation section below. Testing Award Force performs rigorous security testing including risk analysis, automated scanning, and third-party vulnerability and penetration testing. In the unlikely event a security incident or data breach occurs, we have a best-practice resolution path in place and will alert account owners by email immediately. If clients wish to perform their own penetration testing, we will be happy to facilitate this on a special-purpose non-production clone stack by arrangement. Our most recent penetration testing certificate is available on request. Privacy Award Force is extremely privacy conscious. Our staff work together to handle your data responsibly and ensure your right to privacy is maintained at all times. Our product is also designed to help you comply with local privacy laws by offering choice in data storage region. Data residency When it comes to your data hosting location, you have the freedom to choose between several supported regions. Learn more about our data residency feature Data handling We’ve developed and implemented comprehensive processes, privacy safeguards and ongoing training for our teams to ensure we are following best-practice data handling procedures. Privacy policy Learn more about our privacy policy as mandated by our parent company, Creative Force. Data regulation compliance Award Force is packed full of features to help you maintain compliance with requirements under the various regulations listed below. Our team regularly works to expand our compliance coverage to help you meet your compliance needs. General Data Protection Regulation (GDPR) GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018 within the EU and the UK. GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU and the UK. Read more about the GDPR Health Insurance Portability and Accountability Act (HIPAA) HIPAA is the acronym for the Health Insurance Portability and Accountability Act. It’s U.S legislation meant to safeguard the protected health information (known as PHI) of U.S residents. Award Force is a fully compliant business associate and we can sign a HIPAA BAA (business associate agreement) with any covered entity dealing with the health information of U.S residents. Read more about HIPAA California Consumer Privacy Act (CCPA) The California Consumer Privacy Act is applicable to California residents and is effective from 1 July 2020. Award Force recognises California has recently passed an addendum to the CCPA known as the California Privacy Rights Act (“CPRA”). As with the LGPD, we will analyse the additional requirements and update our policies and materials where needed. Read more about the CCPA Australian Privacy Principles The primary legislation that governs privacy in Australia is the Privacy Act 1988 (Cth). The cornerstone of the Act is the Australian Privacy Principles (APP). These principles replaced the previous National Privacy Principles in March 2014. Read more about the APP Reliability Awards programs deal in integrity, stability and trust and are mission critical projects. As such, Award Force has been architected and is maintained to be as dependable as possible. We are committed to delivering a service which is stable, secure at scale, readily available and recoverable. Business continuity and disaster recovery In the event of a disruption to our operations, our business continuity and disaster recovery plan is in place and ensures minimal impact on our clients and their programs. Stable foundation Award Force is built on industry-leading cloud infrastructure from AWS. It is designed with redundancy and failover systems, and is dependable and optimised for performance. Scale Award Force is built to respond to increased client data and user loads, fast. Our platform performs consistently and predictably, even under high volumes. Availability Since 2016, Award Force clients have enjoyed more than 99.96% service availability. The majority of downtime was for scheduled maintenance, which we communicated well in advance. We hold ourselves to these high standards on an ongoing basis. Status transparency Real-time system status, detailing the status of various components of the platform as well as the platform as a whole, is readily available from our open and publicly accessible status page. Certifications + documentation Use our responses to the CAIQ to fast track your assessment of our security profile or download our IEC/ISO 27001 or PCI-DSS attestation certificates below. NEW Visit our trust centre for a complete overview of our security controls, policies and certifications. Trust centre The Consensus Assessments Initiative Questionnaire (CAIQ) offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. Download our CAIQ response Award Force has been independently audited and verified to fulfil the requirements of the ISO / IEC 27001 : 2022 standard. Download the certificate from our trust centre HECVAT The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalise higher education information security and data protection questions. It is the higher education equivalent of the CAIQ. Download the assessment Award Force is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), please find our attestation below. Download the attestation from our trust centre Backed by the UK government and overseen by the National Cyber Security Centre. Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification. Download the certificate from our trust centre Award Force has been independently audited and verified to meet the requirements of the SOC 2 Type II standard for security, availability and confidentiality. Download the report from our trust centre Frequently asked questions Where is Award Force hosted? Award Force uses Amazon Web Services (AWS) infrastructure to host the system. Our application and database servers are located in the European Union, the United States of America, Hong Kong, Canada and Australia. For security reasons, Amazon does not publish the physical locations of their data centres. Can we use our own domain? Yes, custom domains are available on the Pro plan. Does Award Force comply with any privacy laws? If yes, which? The Award Force application is packed full of features to help clients maintain GDPR, CCPA, LGPD and APP compliance. Do you have any proof of security used? Yes, our ISO 27001 certificate and PCI-DSS attestation is freely available above and we are more than happy to pass along our most recent penetration test results. Please get in contact if you'd like to receive a copy.