Theta is certified as compliant with ISO 27001, the gold standard in information security management. This extends to all our products, including EVA Check-in too.
The EVA Check-in application is a SaaS web application hosted in Microsoft Azure data centres in Australia. This means that it inherits all the security controls available in Microsoft Azure, such as physical security of the data, disaster recovery and encryption. We use the Azure security best-practice controls and continuously monitor the application for confidentiality, integrity, and availability. All EVA Check-in Azure private resources comply with Azure’s built-in audit for ISO:27001:2013 security controls.
All EVA Check-in data is encrypted in transit and at rest. The web facing components of EVA Check-in are further protected by the Cloudflare Web Application Firewall. Cloudflare’s CDN and WAF help shield us from DDoS attacks as well as preventing a range of common exploits.
EVA Check-in administrator accounts can optionally make use of Microsoft Office 365 logins. This enables multi-factor authentication via Microsoft’s login controls if enabled (recommended).
Our Secure Development methodology ensures we build, test and maintain secure products. This means that EVA Check-in is regularly tested to ensure it is free from common vulnerabilities, including those described in the OWASP Top 10.
All code is scanned at the time of compilation and 3rd party libraries checked to ensure no known security issues are introduced. Regular, automated scans with a PCI-accredited security scanning solution provide external assessments of the solution on a regular cadence, alerting in the case any problems arise.
External automated attack surface monitoring scans are run weekly using Glasstrail to look for any new issues. In addition to automated scans, we have completed multiple, independent penetration tests on the product including the website and mobile apps.
EVA Check-in has strong built-in controls that help you manage the privacy of data you collect. This includes:
· Data masking – we obscure personal information by default, and record who accesses it when it needs to be seen.
· Data retention – we provide full control over data retention. Customers can choose specific retention policies to align with different visitor types – e.g. you can specify a 30-day retention for general guests and a 90-day retention for contractors.
· Control over what is collected - we give customers control over what data that is collected, per visitor type and per site, so only the necessary amount of data is collected.
· Admin access – fine grained security roles in the platform let you grant access to people for specific sites and specific duties. We support Microsoft O365 logins for EVA Check-in accounts which means easier onboarding and offboarding when people leave your organization.
· Customer service access - our customer services team does not have, nor require access to the personal information in your check-in data to provide support.
Many visitor systems autocomplete the details of returning visitors. While this is convenient it means personal data is exposed to others who use the kiosk – either intentionally or unintentionally searching by name. EVA Check-in offers our mobile apps, geofences, and reusable passes as alternative ways of speeding up repeat check-ins without leaking data. For added privacy, you can optionally disable autocomplete on sign out.
Need a PDF copy of our security standards? You can request it here.