Dental4Web (D4Web) and Security

Follow

At Centaur, we prioritise the security of the information we manage, ensuring the highest level of protection for our web-based databases and cloud environments. Our approach is based on industry standards and incorporates multiple layers of security controls.

 

Certifications & Compliance

ISO 27001:2013 Certification

Centaur Software is certified under the ISO 27001:2013 standard for Information Security Management Systems (ISMS), successfully passing the certification in February 2023 and the subsequent surveillance audit in January 2024. This certification ensures that our systems, processes, and people are aligned with the highest security standards.

GDPR Compliance

As of March 2021, Centaur Software complies with the General Data Protection Regulation (GDPR).

 

Penetration Testing

Each year all our Web-based applications undergo rigorous penetration testing by independent cybersecurity testers. These penetration tests check our products against the following:

  • Penetration Testing Execution Standard (PTES)

  • Open-Source Security Testing Methodology (OSSTM)

  • Open Web Application Security Protocol (OWASP)

 

Cloud Infrastructure Security

Server Locations & Redundancy

Our servers, part of the Centaur Cloud Servers suite, are located within the AWS Asia Pacific (Sydney) Region, utilising all three availability zones for redundancy and ensuring data and backups remain secure within Australia. Our infrastructure is built on AWS, enabling a 99.99% uptime guarantee.

Encryption & Data Security

  • Practice data is encrypted using AWS Key Management Service (SSE-KMS).

  • Amazon RDS encrypted database instances provide encryption at rest.

  • EBS volumes on EC2 instances are encrypted using Amazon EBS encryption.

  • Data stored in AWS S3 for non-database files uses multi-data centre redundancy for added security.

Application-Level Security

D4Web includes advanced security features such as:

  • Multi-factor Authentication (MFA)
  • IP and DNS restrictions

  • Trusted Device Access

  • User activity logs

  • Inactivity timeouts

 

Password Policies

D4Web offers a range of password restrictions, including:

  • Enforcing password complexity (alphanumeric, special symbols, uppercase and lowercase letters).

  • Password expiration, history, and age enforcement.

  • Username exclusion from passwords.

  • Reminders for password changes.

Once implemented, you can audit and generate reports for password restriction compliance.

All security-related information is encoded in the database, ensuring it cannot be read directly.

 

Application Whitelisting

All applications are screened at the point of connection to the database to ensure Centaur has authorised them. The list of certified applications whitelisted are synchronised at regular intervals with our master systems.

 

Audit Trails & Logs

Extensive audit trails within the D4Web application capture changes to critical records, including:

  • Deleted or modified patients, appointments, and treatment records.

  • Changes to fees, recall dates, and provider details.

  • External data requests and overrides.

In addition, all user activity, including database queries and non-database activity, is logged and monitored by AWS log tools and reviewed regularly by Centaur’s compliance team.

 

Data Management & Retention

Redundancy & Backup

We implement robust data redundancy strategies, ensuring backups are replicated across multiple AWS availability zones. Real-time replication, daily snapshots, and weekly full database backups protect against data loss.

Data Retention Policies

  • 90 days for versioned deletions and modifications.

  • 7 days for daily database snapshots.

  • 90 days for weekly database backups.

  • Up to 90 days after service discontinuation.

Control over Data

The customer retains ultimate ownership of your data, with control limited to application-based viewing and modification. We provide a free database copy once every six months upon request, with additional requests subject to a fee, all within the framework of the Australian Privacy Principles.

Data Migration Out of the Platform

Data migration out of the platform is supported, following the same access and control procedures outlined above, ensuring flexibility and control over your data.

 

Disk Encryption & Security of Cloud-Hosted Databases

All our D4W Cloud and D4Web databases hosted on our Australian located AWS Cloud and are protected with several security measures.

Some of our Cloud security measures include:

  • Practice data stored on AWS is encrypted using server-side encryption with AWS Key Management Service (SSE-KMS).

  • All application configuration databases are Amazon RDS encrypted db instances. This provides the databases with encryption at rest.

  • All EBS volumes on all EC2 instances are encrypted using Amazon EBS encryption technology.

  • All EC2 instances are protected by antivirus software to detect and protect against vulnerabilities, malware and unauthorised changes using hybrid cloud security capabilities.

  • Using security update management software on all the servers in order to constantly scan the system and identify missing security patches and updates.

  • All access to the EC2 instances is protected by MFA (Multi-Factor Authentication).

  • All servers regularly undergo rigorous server hardening against CIS (Center for Internet Security) Microsoft Windows Server Benchmarks. Tenable.io is used to identify vulnerabilities.

 

Data Access Control & Monitoring

Data is strictly accessible by authorised practice users and Centaur’s support engineers for troubleshooting purposes only. All staff undergo background checks and data access is audited regularly to ensure compliance with ISO 27001:2013. Additionally, practice users retain ownership of their data with full control over access and modification rights.

 

Uptime & Scheduled Maintenance

While our AWS infrastructure guarantees 99.99% uptime, scheduled maintenance is conducted during specific windows:

  • Sundays between 1:00 AM and 5:00 AM AEST

  • Daily between 2:00 AM and 3:00 AM AEST

During these windows, the application may be temporarily unavailable.

 

 

 

Authorised by Chief Technology Officer 24th September 2024

0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.