Spotlight Reporting Limited is committed to protecting customers’ data from unauthorised access, modification or disclosure. We comply with legislation covering security and privacy of customers’ data in all major countries where Spotlight Reporting Limited is available.
Spotlight Reporting Limited uses a world-class network, data and physical security environment to ensure the highest level of security. We continuously review and reinforce our security policy and procedures.
Here are some steps we take to protect customers’ information against unauthorized access and system failures.
Title to, and all intellectual property rights in the data remain the property of the customer. Customers are able to manage access to their data and can delete an organisation within Spotlight Reporting Limited at any stage. When they delete an organisation that was imported from a cloud accounting system, Spotlight Reporting Limited also deletes any associated access tokens. This means we can no longer access that organization’s data through the accounting provider’s API. The data will exist in our offsite backup for a period of time and then be removed. This ensures no data remains with Spotlight Reporting Limited.
All data, including personal and non-personal information, that is entered into a customer’s subscription by them, or automatically imported on their instruction, is transferred to Spotlight Reporting Limited’s servers as a function of transmission across the Internet. By using the customer’s subscription, they consent to their personal information being transferred to our servers as set out in this Policy.
All data transferred between the customer and their subscription is encrypted using the latest encryption standards comparable to that used for internet banking.
However, the Internet is not in itself a secure environment therefore we cannot give an absolute assurance that customers’ information will be secure at all times. Transmission of personal information over the Internet is at the customer’s own risk. Customers should only enter, or instruct the entering of, personal information to the subscription within a secure environment.
We will advise customers at the first reasonable opportunity upon discovering or being advised of a security breach where their personal information is lost, stolen, accessed, used, disclosed, copied, modified, or disposed of by any unauthorised persons or in any unauthorised manner.
Spotlight Reporting Limited replicates customer data in using fault-tolerant clusters of database servers.
Spotlight Reporting’s servers are located on the east coast of Australia. Customers’ personal information will be routed through, and stored on, those servers as part of their subscription.
By providing their personal information to Spotlight Reporting Limited, customers consent to Spotlight Reporting Limited storing their personal information on servers hosted in Sydney, Australia. While customers’ personal information will be stored on servers located in Sydney, Australia, it will remain within Spotlight Reporting Limited’s effective control at all times. The server host’s role is limited to providing a hosting and storage subscription to Spotlight Reporting Limited, and we’ve taken steps to ensure that our server hosts do not have access to, and use the necessary level of protection for, customers’ personal information.
If a customer does not want their personal information to be transferred to a server located in Sydney, Australia they should not provide Spotlight Reporting Limited with their personal information or use the subscription.
We host our servers with Amazon Web Services (AWS). AWS holds both ISO 9001 and ISO 27001 certifications and access to their data centers are restricted to authorized data center technicians only, by a combination of biometric systems and 24/7 onsite security guards. Our team also takes additional measures to maintain a secure infrastructure and application environment.
For more specific details regarding AWS security, please refer to https://aws.amazon.com/security/.
Spotlight Reporting Limited adheres to best practice policies and procedures to prevent data loss but does not make any guarantees that there won’t be loss of data. Spotlight Reporting Limited expressly excludes liability for any loss of data no matter how caused.
We retain an encrypted copy of a backup that is taken hourly, using fault-tolerant clusters of servers as storage. Company-specific data is kept separate through logical separation at the data tier, based on application-level access permission and roles. Daily backups are kept for a fortnight.
Spotlight Reporting Limited servers and databases are High-Availability. This means they keep redundant servers active in case of a single failure.
We have an incident response plan in place and test it on a regular basis to ensure we are ready to act.
Customers can export their reports to Excel or PDF at any time, to get their data out of Spotlight Reporting.
The customer’s subscription may allow them or an invited user within this subscription to transfer data, including their personal information, electronically to and from third-party applications. Spotlight Reporting Limited has no control over, and takes no responsibility or liability for, the security practices or content of these applications. Customers are responsible for checking the security policy of any such applications.
Within each account, customers can provide user permission to others at a level of access they select. Administrators or Partners can invite or remove individual users from their account at any time.
Selected Spotlight Reporting Limited staff can also access a customer’s data for support purposes only, and only when provided permission by that customer.
Spotlight Reporting Limited uses best practice in the transmission and storage of passwords. All users must choose a strong password. An automatic lockout is enforced when incorrect passwords are entered repeatedly. If customers are inactive for an extended period while still logged in to Spotlight Reporting Limited, they will be automatically logged out. Practices can choose how long a password can be active, with a forced expiry date and password reuse settings available.
External access to our servers is restricted to only a small number of Spotlight Reporting staff, by the use of Multi- Factor Authentication, IP Restriction and username/key pairs. These systems and processes are configured and monitored according to industry best practice. Our own internal office networks are isolated from any customer data by design.
Spotlight Reporting Limited engages independent security specialists to review and audit our security. This includes penetration testing, source code reviews and automated server port security scanning.
Spotlight Reporting Limited performs background checks before hiring workers and removes their access to systems and facilities when they leave our employment. Only authorized individuals have access to a customer’s information when it is critical to complete tasks for them, and they allow it.
We provide privacy and security training to all employees when hiring. Employees also take security training annually and the privacy training bi-annually thereafter.
Customers can stay protected by following these steps:
Create a password nobody can guess - no dictionary words or family names. Be cryptic or use multi-word pass phrases; these are easy to remember and hard to crack.
Don’t share a password with anybody.
Don’t write a password on a sticky note and attach it to a computer.
Keep browser software up to date.