Privacy, security + compliance
Award Force uses best practice security measures to protect you,
your company, your judges + entrants, and their personal data
You’re concerned about security. So are we.
We are confident that we have one of the most secure online application + evaluation solutions worldwide.
If not the most secure.
The Award Force application and hosting stack have been architected with security practices and features built in so you’ll never have to worry about the security of data stored in Award Force.
Our multi-server architecture is secured in a Virtual Private Cloud (VPC). There is no access via FTP. Server access is only possible by authorised staff via SSH key-based authentication through VPN access to our VPC.
Access to our AWS infrastructure is only available to authorised Award Force staff and is governed by Identity and Access Management (IAM) and multi-factor authentication (MFA).
All our application stack physical infrastructure and data storage is within Amazon Web Services (AWS) data centres in the EU. AWS data centre and network architecture are built to comply with stringent global standards such as SOC 1, SOC 2, SOC 3, and Cloud Security Alliance Controls. These standards meet the requirements of the most security-sensitive organisations.
AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems and other electronic means.
In keeping with best-practice security, all data at rest (in our databases and media stores) is stored encrypted. All data in transit (including login credentials and credit card details for paid entry awards) is protected using TLS 1.2 (https) by default, with 256 bit encryption key and SHA-256 signed certificates.
Encrypted personal data
Personal data, sometimes referred to as Personally Identifiable Information (PII), is information that can be used to uniquely identify, contact or locate a single individual. Keeping PII secure is dictated by various regulations and privacy laws internationally. Additional layers of encryption can be applied for elevated security on sensitive data fields.
Role and permission-based access control
Award Force has an extensible system for defining user roles and associated system use permissions so that users can only access functionality they’re permitted to, whether they be entrants, judges, coordinators or managers.
Optional multi-factor authentication
Individual users can choose to increase protection of their account against unauthorised access by enabling multi-factor authentication (MFA). MFA can also be required for specific roles with elevated access levels.
The primary authentication method after password is a Time-based One-Time Password (TOTP). Backup recovery methods include recovery codes and SMS.
User account access is password protected. Passwords are stored with one-way bcrypt hashing. As a result, the original password can never be read, seen or recovered by anyone, even those with direct access to the system database.
A minimum password length of 12 characters is enforced. We do not have a minimum complexity requirement as that has been demonstrated to reduce security.
Credit card data
Award Force integrates directly with 3rd-party payment gateways for credit card payment handling on paid entries.
User credit card details are never stored in Award Force databases. They are passed directly to the payment gateway.
Our PCI-DSS attestation certificate is listed in the certifications and documentation section below.
Award Force performs rigorous security testing including risk analysis, automated scanning, and third-party vulnerability and penetration testing. In the unlikely event a security incident or data breach occurs, we have a best-practice resolution path in place and will alert account owners by email immediately.
If clients wish to perform their own penetration testing, we will be happy to facilitate this on a special-purpose non-production clone stack by arrangement. Our most recent penetration testing certificate is available on request.
Award Force is extremely privacy conscious. Our staff work together to handle your data responsibly and ensure your right to privacy is maintained at all times. Our product is also designed to help you comply with local privacy laws by offering choice in data storage region.
When it comes to your data hosting location, you have the freedom to choose between several supported regions. Learn more about how you can control the location of your data by visiting our data residency page.
We’ve developed and implemented comprehensive processes, privacy safeguards and ongoing training for our teams to ensure we are following best-practice data handling procedures.
Data regulation compliance
Award Force is packed full of features to help you maintain compliance with requirements under the various regulations listed below. Our team regularly works to expand our compliance coverage to help you meet your compliance needs.
General Data Protection Regulation (GDPR)
GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018.
GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.
Lei Geral de Proteção de Dados (LGPD)
The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law that went into effect on 18 September 2020, but enforcement will not start until August 2021. Like the GDPR, it regulates the collection, use, processing, storage, and transfer of personal data of Brazil data subjects.
Award Force is committed to complying with the requirements of the LGPD, and we will analyze the requirements of this new law and update our policies and materials where needed.
Californian Consumer Protection Act (CCPA)
The California Consumer Privacy Act is applicable to California residents and is effective from 1 July 2020. Award Force recognises California has recently passed an addendum to the CCPA known as the California Privacy Rights Act (“CPRA”). As with the LGPD, we will analyze the additional requirements and update our policies and materials where needed.
Australian Privacy Principles
The primary legislation that governs privacy in Australia is the Privacy Act 1988 (Cth). The cornerstone of the Act is the Australian Privacy Principles (APP). These principles replaced the previous National Privacy Principles in March 2014.
Awards programs deal in integrity, stability and trust and are mission critical projects. As such, Award Force has been architected and is maintained to be as dependable as possibile. We are committed to delivering a service which is stable, secure at scale, readily available and recoverable.
Business continuity and disaster recovery
In the event of a disruption to our operations, our business continuity and disaster recovery plan is in place and ensures minimal impact on our clients and their programs.
Award Force is built on industry-leading cloud infrastructure from AWS. It is designed with redundancy and failover systems, and is dependable and optimised for performance.
Award Force is built to respond to increased client data and user loads, fast. Our platform performs consistently and predictably, even under high volumes.
Since 2016, Award Force clients have enjoyed more than 99.96% service availability. The majority of downtime was for scheduled maintenance, which we communicated well in advance. We hold ourselves to these high standards on an ongoing basis.
Real-time system status, detailing the status of various components of the platform as well as the platform as a whole, is readily available from our open and publicly accessible status page.
Certifications + documentation
Use our responses to the CAIQ to fast track your assessment of our security profile or download our IEC/ISO 27001 or PCI-DSS attestation certificates below.
The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.
Award Force has been independently audited and verified to fulfil the requirements of the ISO / IEC 27001 : 2013 standard.
Frequently asked questions
Award Force uses Amazon Web Services (AWS) infrastructure to host the system. Our application and database servers are located in the European Union, the United States of America and Australia. For security reasons, Amazon does not publish the physical locations of their data centres.
Yes, custom domains are available on the Pro plan.
The Award Force application is packed full of features to help clients maintain GDPR, CCPA, LGPD and APP compliance.
Yes, our ISO 27001 certificate and PCI-DSS attestation is freely available above and we are more than happy to pass along our most recent penetration test results. Please get in contact if you'd like to receive a copy of that.