Security
Last reviewed: January 2025
Safeguarding information security is at the heart of Forbury’s operations. Our comprehensive Information Security Management System (ISMS) spans all data, systems, employees, and service providers. This system is integral to our daily functions and successful business performance. We maintain privacy, integrity, and accessibility of data through strong security policies, procedures, and risk assessments. Information Security is a shared responsibility across the entire team.
We also recognize the importance of partnerships with key organizations like Microsoft, our primary hosting partner. For details on Microsoft’s security protocols, visit their information security page Microsoft Business Security.
Protecting your Content
Hundreds of customers trust Forbury with their data, a responsibility we take very seriously. We maintain strong administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of our customers' information.
Data Security
We prioritize the confidentiality and integrity of our customer's data with industry best practices. Our databases, hosted in Microsoft Azure data centres, utilize at-rest encryption including Transparent Data Encryption (TDE) for Azure SQL Database, securing stored data from unauthorized or offline access. For Microsoft Azure’s security details, see their official pages.
Data Accessibility
Access to confidential data is strictly controlled. It is available only to the individual who uploaded it or to team/fund members with explicit permission. Forbury Sharing allows data sharing with approved third parties, as per user settings. Our employees access data through individually secured logins, with one-way encrypted passwords, Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for enhanced account security.
Server and Data Storage
We utilize Microsoft Azure Data Servers in Australia, with geo-replication for backup, and secure data storage. Our Portal’s encrypted database adheres to the highest standards of data protection.
Data Handling
Our data collection is minimal, transparent, and user-centric, offering data sharing choices. Forbury does not share or sell your data, nor do we use it for benchmarking or data mining. In the event of discontinuation of our services, we can permanently delete all sensitive data related to you upon request. The table below shows your options when sharing your data with us:
We collect your data for: | Why do we collect your data? | Does this require your data to be stored? | How can your data be removed? |
|---|---|---|---|
Model Calculations | Product development, error detection and testing | No | Calculation logs can be removed by requesting Forbury |
Backup and Restore | Enable the ability to migrate inputs into new models | Yes | Users can delete uploaded data |
Portfolio Reports | Consolidate property information and the ability to refresh reports with latest information | Yes | Users can delete uploaded data |
Sharing | To facilitate the transfer of data to nominated 3rd party users | Yes | User can delete uploaded data. Receiving parties may hold your data in our system |
Sale Evidence | To provide a sale database service with comparison and report functionality | Yes | Users can delete uploaded data |
Activity Logs | Audit, support, records | Yes | Cannot be removed |
Outsourced Partner Security
We ensure secure and accurate operation of information processing through partnerships with reputable third parties and outsourced partners, underpinned by formal contracts and strong Service Level Agreements (SLAs). These agreements cover service quality, security, and response strategies for disruptions or incidents. A key partner is Microsoft Azure, providing infrastructure and services like automated threat detection and data retrieval, all compliant with various regulations.
Encryption and Password Management
We use Microsoft Azure Security Services for encryption of data at rest and protect data in transit between Forbury software and servers using HTTPS using 256-bit TLS encryption. Password security is managed through the ASP.NET Core Data Protection framework with one-way encryption and multi-factor authentication enforced. Passwords require lowercase, uppercase, non-alphanumeric and digit characters, with a minimum length of 8 characters. After 5 failed attempts user accounts are locked for 10 minutes.
Data Management
Our data is categorized as Public, Sensitive, or Confidential, with strict access based on 'least privilege.' Suppliers are thoroughly monitored, personal data collection is limited, with data stored securely in Microsoft Azure. Our Access Controls, Acceptable Use Policy and Customer Data Management strategy ensures our adherence to ISO 27001:2022 compliance including OAuth 2.0 authentication, responsible asset usage, secure handling and encryption of customer information, with options for anonymization or deletion. Regular compliance checks and secure disposal of hardware are key aspects of our data management system.
Service Reliability
Our risk management, coupled with our strong remote work infrastructure, proactive monitoring with Azure's storage solutions, and resilient backup strategies enables us to provide reliable, secure services for our customers.
Business Continuity
Our Business Continuity Plan, proven during the COVID-19 pandemic, includes remote work infrastructure and communication protocols. We proactively monitor and address service issues with our automated performance detection system, using Azure's storage solutions for secure and recoverable data management.
Backup Strategies
Our data protection strategy includes maintaining a continuously updated, geo-replicated database, and regular backups. This ensures minimal downtime in case of regional service disruptions. Should a database issue arise, we swiftly switch operations to our replicated database, until the primary database is restored.
Risk Management
Our risk management protocols follow ISO 27001 guidelines. We continuously identify, evaluate, and mitigate business risks through methods like risk assessments and audits, ensuring that our services remain reliable and secure.
Code Security
Adhering to ISO 27001:2022 standards, we ensure top-tier code security through secure development, mandatory security training, and strict incident management, aligning with global data protection regulations.
Secure Development
Our Technical Change Management System and adherence to OWASP guidelines ensure secure, high-quality code development techniques with regular code reviews and conducting comprehensive automated testing to ensure code development and security. Our software development lifecycle embeds security at every stage, from strategic planning and agile development to controlled releases and ongoing enhancement.
Security Training and Protocols
Ensuring comprehensive security coverage is important to us, we invest in regular security training, phishing attack identification and simulation tests for all employees. Regular vulnerability scanning, penetration testing and incident simulation testing are conducted. We ensure high network and computer system security in partnership with our IT Service Provider by implementing software monitoring, patching, data backup and recovery, and real-time monitoring for data breaches.
Confidentiality
Strict confidentiality standards are maintained by all personnel, including employees and contractors, who are expected to adhere to these standards, ensuring the secure handling of sensitive information and intellectual property.
Security Incident Management and Data Breach Response
At Forbury, we manage security incidents in line with ISO 27001. We actively monitor server traffic, unauthorized access and maintain detailed logs for both breach management and legal compliance. Security Incidents or Data Breaches are managed by our Security Incident Response Team (SIRT), engaging all team members and third parties as applicable.
Our Data Breach Response Plan focuses on quick containment, assessment, and response to data breaches, aiming to minimize harm. The SIRT lead handles investigation and risk assessment and informs senior management. Containment steps are taken immediately, and if necessary, services are interrupted. After containment, the breach is assessed and reported to relevant parties, including legal authorities, and affected individuals, The plan emphasizes evidence preservation and a post-resolution review to improve future responses.
Compliance
We comply with privacy and data protection regulations in the European Union, the United Kingdom, Australia, and New Zealand. Our approach includes legal and regulatory adherence, with detailed information about Privacy Policy on our website.
ISO Certification
Forbury’s ISMS is ISO 27001:2022 certified, reflecting our commitment to best practice security controls and information risk management.
Report a Security Issue
If you detect a security issue, please report it here for review.
If you have any further questions, please email us.