# How do I get documents to and from the DX2 platform?
There are many Transport Mechanisms for sending and receiving data on the DX2 platform;
- (Secure) HTTPS - REST API with user controlled API Token Connector.
- (Secure) SFTP - User controlled SFTP Connector.
- (Secure) DX2 Gateway - Client's on-premises application that leverage the HTTPS - REST API to send / receive documents.
- (Secure) DX2 Portal - Document Upload / Document Download.
- (Secure) Xero Connector - User controlled Xero Connector, OAuth protected.
- (In-Secure) FTP - User controlled FTP Connector.
- (In-Secure) Email - DX2 Email for Inbound and Outbound documents.
- DX2 Intermediate Service - Can be used in both (Secure) and (In-Secure) modes, to connect to REST based external APIs.
Please Note
We recommend you use Secure Transport Mechanisms where possible.
For details see Introduction to Connectors
# What formal security accreditation do you have for DX2 (e.g. ISO27001 certification, SOC 2 audit, etc.)
- Microsoft Azure is ISO/IEC 27001 certified.
- Storecove the access point provider we use for e-invoicing is ISO 27001 certified.
# Where do you define your service level availability, integrity and confidentiality?
This information is held in the Terms and Conditions and Privacy Policy documents.
# Can you please advise the support and maintenance service levels that you can provide? Please include system availability (over a month), scheduled maintenance or outages, RTO and RPO.
| Service Level | Measurement |
|---|---|
| System availability: 24 hours / 7 days week (target) | 99.5% |
| Scheduled maintenance or outages | 19:00-3:00 NZST or weekends |
| Planned outages | none |
| RTO | 4 hours |
| RPO | <1 minute |
Definition
RPO is about how much data you afford to lose before it impacts business operations. For example, for a banking system, 1 hour of data loss can be catastrophic as they operate live transactions. ... On the other hand, RTO is the timeframe within which application and systems must be restored after an outage.
# What assurances do you make on the confidentiality, integrity and availability on the service and any of my data traversing it?
- As a cloud native service, DX2 Digital Business has been designed with security in mind. All DX2 data, web hosting and authentication uses Azure technology. We leverage Azure app service, data storage and authentication. We utilise Azure SQL safeguarded further by Azure’s Network Security features (firewall access only within Azure), Azure Key Vault, Threat Protection and Tenancy Protection.
- DX2 uses Azure B2C (OAuth 2.0) and OpenID Connect standards. DX2 also leverages the Azure security and threat monitoring for ongoing risk analysis and improvement as technology changes around us.
# Who has access to my data as it traverses your system?
- Only those users that you have given permission to can access your data as it traverses DX2.
- The Trading Partner you either sent or received the document from or to, can also control who has access to their document / data.
# What happens to my data once it has been exchanged – is it removed, destroyed, retained, archived?
- We will store all your data on the DX2 network for as long as you have an account open with us unless you otherwise ask us to destroy it in which case it will be destroyed permanently.
- All data is retained in Azure data storage. Data and documents related to transactional activities are stored on the platform indefinitely. There may be additional storage if the material being stored or storage usage is inconsistent with the level of transactional activity.
# Do you have assurance processes in place for the product and how often are they completed (e.g. pen tests, code reviews, audits etc.).
- Our development lifecycle includes code reviews, regression testing, unit testing. These are completed daily.
# Is my data secure?
At DX2 we utilise the Microsoft Azure Cloud which we have configured to secure your data using;
- Encryption at rest - Safeguard data
- Encryption in flight - Secure the network
- Azure ADB2C & Azure AD Federation- Manage Identity and Control Access
- Azure Key Vault -Key, secrets and certificate management
- Compliance - Azure Compliance Documentation
Exceptions
(In-Secure) Transports traverse networks and systems outside the control of DX2.
# How can I control who has access to my data?
You can control who has access to your documents / data through your portal and APIs. This is done by Managing your Users or Managing your Connectors. By the use of Security Groups users can be granted Roles & Permissions which control what they can see and do.
The Trading Partner you either sent or received the document from or to, can do the same, they can control who has access to their document / data.
Some pieces of information are just for you;
All configuration changes are Audited, recording who changed what, when. Each document contains a Document Timeline and Document Activities, which detail events that happen over the document's lifetime, and display communications regarding this document with your users and trading partner.
# How do you control which 3rd parties can get to my data?
- Olympic (DX2) does not work with, or give access to data, to any third parties, for any reason. Further to this because DX2 is hosted on Microsoft Azure; Microsoft guarantees data protection. Microsoft will not use your data without your agreement. Microsoft complies with broadly applicable privacy laws such as the GDPR and privacy standards such as the world’s first international code of practice for cloud privacy, ISO/IEC 27018. Microsoft, and Olympic (DX2) do not share your data with advertiser-supported services, nor do we mine it for any purposes like marketing research or advertising.
# Where is my data held?
Microsoft Azure Cloud, in the Australia Southeast / Australia East regions, with Geo-Redundant / Backup copies spread between those regions.
Amazon Web Services, in Australia South East for Search acceleration.
Please Note
Search Acceleration will be moved to Azure when available in our region.
The Azure New Zealand North region may be used when available.
# What data sovereignty statutes apply?
Microsoft Azure - Questions and Answers on data residency and compliance
Excerpt from the link;
Questions about the security of and control over customer data, and where it resides, are on the minds of cloud customers today. We’re hearing you, and in response, we published a whitepaper that gives clear answers and guidance into the security, data residency, data flows, and compliance aspects of Microsoft Azure. The paper is designed to help our customers ensure that their customer data on Azure is handled in a way that meets their data protection, regulatory, and sovereignty requirements.
Transparency and control are essential to establishing and maintaining trust in cloud technology, while restricted and regulated industries have additional requirements for risk management and to ensure ongoing compliance. To address this, Microsoft provides an industry-leading security and compliance portfolio.
Security is built into the Azure platform beginning with the development process, which is conducted in accordance with the Security Development Lifecycle (SDL). Azure also includes technologies, controls, and tools that address data management and governance, such as Active Directory identity and access controls, network and infrastructure security technologies and tools, threat protection, and encryption to protect data in transit and at rest.
Microsoft gives customers options so they can control the types of data and locations where customer data is stored on Azure. With the innovation of the security and compliance frameworks, customers in regulated industries can confidently run mission-critical workloads in the cloud and leverage all the advantages of Microsoft’s hyperscale cloud.
Download the whitepaper, Achieving compliant data residency and security with Azure for more information.