This article is a policy for the purpose of our mattero Platform Terms and Conditions.

mattero is a cloud-based service, meaning that the software and data are centrally hosted and accessed by clients using a web browser and internet connection. This document is intended to answer common questions around the infrastructure, security, and intellectual property rights associated with the software and the data.

mattero takes data protection and security very seriously and follows generally-accepted best practices to ensure that clients’ data is backed-up and protected against unauthorised access.

Hosting Environments

mattero uses Microsoft Azure infrastructure to provide secure, reliable, and scalable access to its software and data. mattero infrastructure is hosted in Microsoft Azure’s Australia East (Sydney) and Australia Southeast (Melbourne) datacentres.

Microsoft Azure security specifications can be found here.

Microsoft Azure compliance details can be found at: here.

System Availability, Data Protection, and Security

Availability

mattero has been designed to be a highly available solution. Leveraging services across primary (Microsoft Azure Australia East) and secondary (Microsoft Azure Australia Southeast).

In the event of service interruption to the primary datacentre, mattero services will be transitioned to operate from the secondary datacentre.

Data Protection and Security

mattero servers are backed up daily, weekly, and monthly. We adhere to best practice policies and procedures to prevent data loss, including a frequent system data backup program, but this does not make any guarantees that there will be no loss of Data.

mattero uses reasonable efforts with our direct control to protect your data. We maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of your data.

mattero maintains a program for managing unauthorised disclosure or exposure of your data stored by or accessed through the Services. The mattero Breach Response Plan follows the OAIC guidelines and is reviewed on an annual basis.

Data Encryption

Encryption-in-Transit

mattero is accessed via HTTPS using Transport Layer Security (TLS). TLS is a cryptographic protocol designed to protect information transmitted over the internet, against eavesdropping, tampering, and message forgery.

Encryption-at-Rest

mattero uses a combination of different data storage services in Azure for different types of data. The data stores for user authentication and the data store for documents and files utilises data-at-rest encryption.

The data store for all other data currently does not use data-at-rest encryption, but the physical disks are protected within Microsoft's secure datacentre. mattero is looking in to moving to fully encrypted at rest data storage in the future.

Details on Azure Data Encryption-at-Rest can be found here.

User Authentication

mattero supports multiple methods for user authentication:

• mattero User Account
• Microsoft Account (Live ID or Azure Active Directory)
• Google Account

If using with a Microsoft or Google account, users will inherit any password or authentication policies enforced by these services, including multi-factor authentication.

Information Policies

Data Retention Schedules

The data contained in mattero remains the property of the licensed subscriber. At the end the agreement with mattero, mattero will retain the primary source of data for a 90-day period, before having it destroyed. During an active subscription, a user has the ability to export key content from mattero.

All copies of data and backups of the data may remain in mattero archives as part of our standard retention policies.

Security Testing, Maintenance, Patches, and Updates

The team at mattero aim to deliver error-free services; however, errors may occur throughout the life of our services. As part of our service, regular maintenance, patching, updates, and upgrades are provided to the system components within our platform.

mattero reviews our system components on a regular basis to ensure we utilise these components in good support standing. As a priority, patches and updates are focused towards systems that are ending standard support, security updates and patches that relate to performance improvements, and critical bug fixes.

mattero utilises several methods to protect our services including "top-down" security assessments through Threat Modelling and analysis as well as "bottom-up" code-level threat detection through static analysis, dynamic analysis, and manual penetration testing contracted through independent third-party contractors.

mattero reviews vulnerability notices from third-party vendors and independent sources on a regular basis. Because mattero operates in a serverless environment, we have peace of mind that Microsoft Azure directly manage all patching and maintenance of Operating Systems, VMs, and Servers.

For critical notices, we assess the impact to our services and develop a patch implementation plan. The patch implementation process may include such activities as reviewing applicability, assigning severity/priority, testing and evaluation, functional/security/performance impact analysis, approval, implementation, and documentation.

Most patches and updates are deployed following an 'uninterrupted' approach, allowing users to be active within the service. These deployment techniques aim to deliver a highly available service that reduces downtime for the users.

If the application of a patch or update is required to ensure immediate system stability or security, the mattero team will apply it as soon as possible.

If the application of the patch or update entails a service interruption, a notice to our customers is issued (via in-app messaging). The mattero team endeavours to apply patches and updates during off-peak hours, when feasible, so as to minimise disruptions in service for our users.

Once brought to our attention, mattero's security policies require that patches for high-risk issues be implemented within 30 days, with a target of 5 days for critical issues, to minimise exposure to impacts of vulnerabilities.