Home Login

Compliance

We understand that your IT department may want to perform due diligence on all third party technology providers. To make life easier for everyone, we have assembled the most common and relevant questions and answers here.

If you require a bespoke compliance form to be completed, please contact support. Note that you will be asked to pre-purchase sufficient credits to cover ten uses of the product. Filling out those forms is no one’s idea of a good time, so we only do it for bona fide customers.

Networking security

What IP addresses or domain names belong to the application?

The following domain names can be used to access the application: partn.com.au rufflereport.com.au

What domain names are used for sending email?

You may receive email from addresses at the following domain names, and should ensure they are allowed in your email spam filter: @partn.com.au @rufflereport.com.au @ruffle.technology

Does The Ruffle Technology Company Pty Ltd use firewalls to restrict malicious network traffic?

Yes

Are production databases shielded from direct internet access through the use of VPCs or similar?

Yes

Are mitigations in place to prevent CSRF and XSS attacks?

Yes

Data

Is the solution hosted on-premises or in the cloud?

Cloud

Which cloud model is the solution based on? (eg, PaaS, IaaS, Saas)

Software as a Service (SaaS)

Which service model is used?

Public cloud (eg, AWS, Azure, Google Cloud, etc)

Are agreements in place with cloud service providers to define the legal jurisdiction where data can be transmitted, processed, or stored?

Yes

Which cloud provider(s) does the service rely on?

DigitalOcean

In which data centres / countries / geographies is data stored?

Sydney, Australia

Which tenancy model is used?

Multi-tenant

What is the availability Service Level Agreement (SLA) for this application / service?

99.99% uptime per month

Is data encrypted to an industry standard both at rest (stored data) and in transit?

Yes

Are all removable media encrypted?

No removable media is used

Is the data backed-up on a regular basis?

Data is backed up on a daily basis, and retained for 7 days

What are the SLAs around disaster recovery?

Best endeavours to restore access as quickly as reasonably possible. Please remember that PartN.com.au and RuffleReport.com.au export to Word, Excel, and PDF, and those reports get saved onto your matter. Once saved to the matter, continued access by your team will be to the saved version in your matter management software.

Does The Ruffle Technology Company Pty Ltd have a data privacy policy / framework to govern the handling of personal information, including the collection, use, storage and disclosure of personal information?

Yes – see https://rufflereport.com.au/legals

Does the data privacy policy / framework comply with applicable Australian privacy laws and regulations, including the Privacy Act 1988 (Cth)?

Yes

Is the data privacy policy / framework regularly reviewed and approved by management on a periodic basis?

Yes

Does The Ruffle Technology Company Pty Ltd have a data privacy breach notification procedure that specifies who needs to be notified in the event of a privacy breach, in what circumstances and in what time frames?

Yes

Please provide information to what circumstances and what time frames notifications are made

We notify affected individuals and the OAIC about an eligible data breach. An eligible data breach occurs when: 1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that our organisation holds 2. this is likely to result in serious harm to one or more individuals, and 3. our organisation hasn’t been able to prevent the likely risk of serious harm with remedial action. Notification must be made promptly, and in any event within 7 business days of discovery of the eligible data breach.

Compliance

Is access to data restricted by Role Based Access Controls (RBAC) and processes?

Yes

Are RBAC regularly reviewed to ensure only authorised uses are provided access to data, devices, and application functions?

Yes

Are audit logs recording user activities, exceptions, and information security events produced and kept for to assist in future investigations and access control monitoring?

Yes. Among other things, we log the IP address and logged in user ID for the following actions: - Log in (and all steps in the log in flow) - Log out - Access a product - Alter a product - Create a new product - Invite other users to gain access to a product - All steps in the payment flow

Are controls and procedures in place for granting, revoking, and separating access to all information systems and services?

Yes. Internally, the software keeps track of users and memberships. Users can only access products to which they have a membership. Externally, logins are handled by email address. Accordingly, as soon as a former employee has their email access removed, they lose access to the app.

How is user authentication managed?

‘Magic links’, that is to say, login links emailed to the user's email address. These links last 5 minutes, and new login links invalidate old login links (even if the old ones were still 'in date'). Each user can only have one active session at a time. Sessions time out after 30 minutes (which can be extended by taking action), but the maximum session time is 24 hours, after which time the user will need to authenticate again using a magic link.

Is there support for single sign-on / ActiveDirectory integration?

We do not currently offer this. However, because our user authentication is handled via email login links, if a staff member leaves your firm and loses access to their work email, they will also lose access to their account on Ruffle Report

Is multi-factor authentication enforced for access to systems / data?

Yes – temporary login link sent to email address

Is The Ruffle Technology Company Pty Ltd accredited to a recognised Information Security Standard? (ISO 27001:2013, NIST CSF, etc.)?

No. However, we maintain an information security capability commensurate with information security vulnerabilities and threats by taking the following precautions, among others: 1. We produce a minimal product, with minimal features, and therefore, minimal surface area exposed to the outside world. 2. We use extensive automated testing to ensure our software is and remains secure against malicious users attempting to access data they should have access to. 3. We leverage widely-adopted technologies with active security maintenance. 4. We use tightly constrained network architecture which only opens the ports and hostnames that are essential for continued operation. 5. We apply sweeping IP restrictions to production assets such that they are only accessible to other production assets, and to approved company workstations.

Asset management

Are devices, servers, systems, or other network elements that store or process any data patched in a prompt fashion?

Yes. Wherever possible we use managed infrastructure where these patches are applied automatically for us.

Are managed devices subject to periodic vulnerability scans?

Yes. We use XProtect to scan executables when they run, when they change, and when new signatures are made available. We also benefit from automatic MRT, SIP, Bastion, and XProtect Behavioural Analysis.

Does The Ruffle Technology Company Pty Ltd perform annual penetration testing?

Yes

Would penetration test results impacting upon external stakeholders be communicated to them?

Yes

Are applications patched as soon as possible after vulnerabilities are discovered?

Yes

How often are applications patched?

At least weekly

How often are applications scanned for vulnerabilities?

At least weekly

Security Incident Response

How are alerts and suspicious activity monitored and managed?

Among other things, suspicious activity is logged to an audit trail database and redundancy log store, and alerts are emailed to the technical team. Unexpected resource usage levels are emailed to the technical team.

Has The Ruffle Technology Company Pty Ltd suffered a data breach in the past?

No

Are all employees with access to sensitive data made aware of, and do they understand, their responsibilities?

Yes

Personnel

Are background verification checks performed for employees and contractors?

All new employees or contractors undergo background checks and identity verification

Is photo identification of new employees and contractors done during the screening process as per Australian standards?

Yes

Are address history verification checks performed as per Australian standards?

Yes

Are all employees and contractors aware of their Information Security responsibilities?

Yes

© 2024 The Ruffle Technology Company Pty Ltd

Ruffle Report is a web application that helps family law participants and their lawyers perform forensic analysis of financial disclosure, for use in proceedings under the Family Law Act 1975 in the Federal Circuit and Family Court of Australia (FCFCOA).