Welcome to our Email & SMS Marketing platform. This guide contains a series of 'recommended reading' articles for IT & System Administrators to help you understand our platform from a network & IT security point of view, as well as assisting you to configure our platform using security best practices.
General Introduction & Overview
Account Security & Users
- Account Access Levels
- Add Additional Users
- Increase Account Security With Two-Factor Authentication
- Minimum System Requirements
- Configure IP Address Restrictions & 2FA Requirements
- Security Best Practices
- Usage Details & Event Log
Domains, Firewalls, & IPs
- Setup your domain records in our platform (for authenticated email)
- Firewall & Whitelisting Issues
- Restrict Account Access by IP Address
- System IP Address Information
Support & Training
- Need a hand? Get in touch with our support team
- View our full index of support articles
- Explore our various training resources
Other Guides & Resources
- Explore our full list of Getting Started resources.
Frequently Asked Security Questions
Information Security Management
Q: Where is contact data stored?
A: All contact data is stored locally in Australia. Our product, live environment, and all (Australasian) client data is stored at a Tier 4, ISO 27001 compliant data centre in Brisbane. No client data is stored on or within our own office premises. All client data is stored within Australia.
Q: What role at Vision6 is responsible for managing Information Security?
A: Our CTO & Corporate Development Officer.
Q: Does Vision6 maintain any Information Security Training and Awareness programmes, Security Education, or other programmes of a similar nature?
A: All new employees are taken through Security Training and Awareness by our CTO and this is refreshed on an annual basis. We also conduct security reviews of our product as a part of our development process in relation to new code and features.
Q: How many Vision6 employees have administrator level access to customer records and what controls are in place in terms of their access?
A: Access to the company network is restricted to direct employees who require access as part of their day-to-day duties. Only the CTO and two System Administrators have administrator level access to all records and data.
Q: Have you undergone third-party penetration testing?
A: Yes. We plan annual pentests. You may request a copy of our Penetration Test Assurance Report (Oct 2020) by contacting our Support team. We have not had a data breach in over 20 years.
Q: Does Vision6 manage any Personal Identifiable Information (PII) data on behalf of clients?
A: No, we do not manage PII data on behalf of our clients. Our clients use our software to manage their data themselves.
Q: In the case of Transactional emails, is the data stored in Australia?
A: Yes. We are the only Australian provider of a Transactional email tool that includes full attachment support (including inline attachments), the ability to BCC, and with Australian data storage. At the time of writing, and to the best of our knowledge, all other transactional providers store data offshore.
Data Protection
Q: What encryption protocols are used by Vision6?
A: Data is encrypted in transit and at rest with TLS 1.2 and above, and HTTP Strict Transport Security (HSTS) protocols are enforced. HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
Q: What compliances does Vision6 hold?
A: ISO 27001, SOC2, QAssure, WCAG 2.0, W3C, with GDPR & SPAM Act Compliant Tools. As far as we are aware, we will be the only Email Marketing Service Provider to have both SOC2 and ISO 27001 accreditation in the world. You may request to view our SOC2 Assurance Report by contacting our Support team.
Q: What controls does Vision6 employ to protect data?
A: The Vision6 product is multi-tenanted with rigid logical segmentation of data by account. Access control within the product is role based. Please refer to Vision 6 Data Security practices in this link https://www.vision6.com.au/compliance-hub/data-security/
Q: Does Vision6 conform to best practice in records storage and handling?
A: Vision6 is an email marketing platform, not a data storage provider. When we collect, store and use your personal information, we do so in accordance with the rules set down in the Australian Privacy Act 1988 (Privacy Act) by the European Union General Data Protection Regulation (EU) 2016/679 (the GDPR), and the California Consumer Privacy Act (CCPA).
Q: Identify any managed services / IaaS / SaaS / PaaS where data is stored or through which it is transmitted.
A: PII is stored in sovereign data storage: in Australia we use Tier 4, ISO 27001 compliant Data Centre in Brisbane, NextDC. We use both AWS Sydney and Azure Melbourne for some backup and Disaster Recovery functions. Both are ISO 27001 and SOC3 compliant.
Q: What form will the information be exported from the system in, including what metadata is exportable?
A: CSV and Excel.
Q: Will Vision6 delete information and records upon request and provide assistance or evidence that they have done so?
A: All customer data is under sole ownership of the relevant customer. Any destruction of customer data is to be managed by the customer in the Vision6 product. We do not provide certificates for assurance of destruction as we're an email marketing platform not a data storage provider.
Q: Are any copies of records or information retained by Vision6 after the termination of a contract?
A: No. According to our Data Retention Policy, all deactivated account data is permanently deleted 12 months after deactivation.
Q: Does Vision6 return all required records and associated metadata in readable formats to customers upon request?
A: Yes.
Network and System Management
Q: What system hardening standards are in place at Vision6?
A: Critical infrastructure components are reviewed annually to confirm compliance with the defined security hardening and configuration requirements. All systems and infrastructure are designed to limit exposed services, unnecessary software, ensure that security measures are correctly in place (e.g. Selinux) and are subject to security reviews as a part of our deployment processes.
Q: Has Vision6 implemented any antivirus/malware solutions?
A: This is detailed in our Threat & Vulnerability Management policy, including requirements for restrictive firewalls and antivirus.
Q: What are Vision6’s patch management policies, procedures, and solutions?
A: We have comprehensive patch management processes in place in relation to our product, which include both manual and automated scans, which are reviewed and reported on monthly.
Q: Does Vision6 utilise a Security Information Event Management (SIEM) system?
A: We have a project on our roadmap to improve our log management infrastructure which we expect to include an SIEM solution.
Q: What are Vision6’s remote access policies including any requirements for multi-factor authentication (MFA)?
A: We recommend customers apply their own policy when using the product, where relevant, and supplement this with two-factor authentication. All other software and systems used by Vision6 use MFA, where possible.
Q: Does Vision6 subcontract part of their service offering to third parties and, if so, what contractual agreements are in place?
A: All core functions and client services are conducted by Vision6 and are not outsourced to any third-party contractors.
Incident Response
Q: Describe Vision6’s Incident Response plan including details of the reporting, escalation and remediation associated with an Information Security Incident.
A: General incident management processes and security incidents and data breaches are handled according to our Security Incidents & Data Breach Policies.
Q: What notification requirements have been established by Vision6’s incident response plan?
A: Our Terms & Conditions detail our incident notification commitments to customers.
Q: What breach notification policies and procedures does Vision6 use to notify clients in the event of unauthorised access and/or a data breach?
A: Please refer to ‘Notifiable Data Breaches’ in section 7. Information and Data Security of our Terms & Conditions for details of our breach notification policies and procedures.
Q: Has Vision6 experienced any significant Information Security incidents in the past?
A: No. Vision6 has not been subject to an Information Security Incident.
Q: What are Vision6’s Disaster Recovery and Business Continuity plans?
A: Vision6 has a Disaster Recovery Plan that is continuously reviewed and monitored by the Development Team. A full Disaster Recovery test was performed in January 2022.
Q: What disaster recovery plan testing is performed at Vision6?
A: Vision6 performs annual disaster recovery plan testing before 30 June each year.
Q: What backup policies and procedures does Vision6 have in place?
A: Backup and restoration tests are performed on an annual basis to ensure the recovery controls are effective.
Q: Is a full restoration of information possible within a reasonable timeframe in the event of an incident?
A: Yes.
Q: Does Vision6 guarantee acceptable parameters for service provision in respect to possible disruptions, and what actions does Vision6 take in the event of service disruption?
A: Please refer to section 5. Services of our Terms & Conditions for details on managing service disruption.
Q: Does Vision6 inform customers of software or system migrations that may impact service or data?
A: Yes.
Q: What measures are in place to allow Vision6 to do a complete restoration of customer records if needed?
A: We store redundant copies of customer data to ensure integrity and resilience. Our disaster recovery systems are designed so that we can quickly recover from the loss of a data centre or entire region, and we test our disaster recovery plans regularly according to a schedule. Backups of your data are made every 24 hours at least and protected by industry-standard encryption, stored in local as well as multiple off-site locations.
Cyber Insurance Policy Protection
Q: Does Vision6 maintain Cybersecurity liability insurance?
A: Yes. Our insurance provides first and third party cyber cover.