At Optimal Workshop, we take the security of our products seriously. Even though we make every effort through education, best practices and external audits, it’s possible that a security vulnerability may be present.
Frequently asked security questions
Does Optimal have a governance framework in place for security?
Our Chief Executive acts as the Chief Security Officer. We run a weekly Security Council meeting with senior staff. Key policies exist which govern the main aspects of information security. Operational risks relating to security are reported monthly to the Optimal Board.
Does Optimal have processes in place to ensure the operational security of its services?
Key Operations Security practices and processes are defined, documented and implemented. External expertise is deployed on a regular basis to test and refine operational security practices as part of a continuous improvement programme.
How does Optimal ensure all of your staff are deploying security best practices?
Our belief is that security is everyone’s responsibility. Security is a key part of our culture and we deliberately deploy security by design in our development. Initial awareness training is provided as part of our on-boarding process supplemented by regular staff wide updates and specific training where applicable to the role.
How does Optimal protect my data while transiting networks?
Data in transit over the Internet is encrypted using TLS 1.2 and SSL protocols.
How does Optimal Protect my data once it is stored?
Our database is encrypted at rest. For datacentre security we use the AWS datacentre located in the USA. Security in AWS datacentres is very high. For more information see: https://aws.amazon.com/compliance/data-center/controls/
What measures does Optimal deploy to ensure access to my data is granted appropriately?
Access to Optimal services is provided only to those with approved user credentials. Minimum password requirements are enforced. We do allow users to authenticate through Google OAuth2 Login.
Optimal staff with access to Client Data are subject to confidentiality obligations under the Non-Disclosure Agreement. Privileged accounts used by Optimal staff that have elevated security rights are constantly under review and there is a separation of duties to ensure only the right people are accessing data for the right reasons.
How does Optimal ensure my data can’t be affected or seen by other customers?
Our product is multi-tenanted. Our software is designed to prevent access to client data associated with other accounts which means that access to data is provided only to authorised clients associated with the consumer's account. The software is also regularly patched, maintained and tested to ensure it remains secure.
Does Optimal classify or protectively mark my data to enhance its security?
Optimal classifies Client Data to help identify it and to allow for access to it to be appropriately restricted. See our Privacy Notice for more information: https://www.optimalworkshop.com/privacy
Does Optimal restrict access to my data by device or device type?
The services we provide are accessible from any device provided the credentials are correctly authenticated.
Does Optimal undertake regular internal reviews workstation and laptop builds to ensure that they are free from technical vulnerabilities?
Our laptops and workstations are set up securely as part of the on-boarding process and spot inspections are carried out to ensure adherence to security standards. Staff are also educated about best security practices.
Does Optimal have a formal change control policy and/or process?
The Change Control process is part of the Application Development Standard.
How is the Optimal software designed and developed to identify and mitigate threats to security?
We deploy security by design during the development of our services. Application Security practices are deployed throughout the development lifecycle. Our application is reviewed and tested at every stage of the development process by experienced developers to ensure technical vulnerabilities are identified and resolved as early as possible.
Can Optimal provide me with audit records that show how you are keeping information secure?
We conduct periodic audits of security configurations to make sure information is secure. We use independent security auditors to run annual penetration tests against our service. We also conduct periodic vulnerability scans of our systems looking for security weaknesses. Some of this information is highly sensitive and as such cannot be shared outside of Optimal. However, we can make some audit information available by negotiation with clients.
Is Optimal PCI-DSS (Payment Card Industry Data Security Standard) compliant?
Credit card processing is handled by via PCI DSS compliant service provided by Payment Express.
Has Optimal undertaken formal certification against ISO 27001:2013 or similar standard?
We have been assessed against ISO 27001 as a specification for creating an Information security management system. Although we are not ISO 27001 certified, we have used that review to take steps to align our processes with ISO 27001 in order to better secure client data, minimise risk and ensure business continuity.
Does Optimal have a documented data security incident plan in place?
We have a Major Security Incident Response Plan (called a Run Book) in place.
Is access restricted to Optimal buildings?
All Optimal facilities have controlled access through card access and monitored alarm systems.
Are Optimal staff subject to background checks?
We have defined on-boarding and off-boarding processes for our staff. Prior to hiring any staff or contractors, New Zealand police background checks are run against the candidates, professional references are contacted and any applicable work visas validated.
How can I report a security issue
If you discover a security issue, we ask that you report it to our security team using the email firstname.lastname@example.org.
The team will be in contact to confirm receipt of your report and discuss the next steps towards addressing the issue.
What should I include when raising an issue?
When you get in touch with our security team, please provide as much information as you can to help us investigate and replicate the issue:
Any steps we can follow to reproduce the issue
Target URLs, request/response pairs, screenshots
Any suggestions to help us address the problem
The device and browser version you were using when you identified the issue
I'm a Security Researcher how can I help?
Whilst we offer our thanks to those working to improve the security of our service we ask that you please respect the following:
Don’t use automated tools in your research as they can affect the performance of the service for our customers. We conduct periodic testing of this nature ourselves in a controlled fashion to avoid service disruption
Don’t knowingly compromise any user’s privacy, attempt to alter data or in any other way impact the performance or integrity of our service
Give us reasonable time to respond to your report