SAM.Coach Pty Ltd (“SAM.Coach”, “We” or “Our”) offers secure services to users to address their business challenges. Our strong emphasis on security is evident in our processes, products and reflected in our people. This page provides insights into our data security, operational and infrastructure security measures to demonstrate our commitment to safeguarding our customers’ data.
These measures apply to all employees, contractors, and users who have access to our company’s website or are involved in the development and maintenance of the website.
We want to assure you that security is a top priority for us here at SAM.Coach. That is why we have implemented an Information Security Management System (ISMS) to ensure that all customer data is handled with the utmost care and protection.
Our ISMS takes into account our security objectives and risks for all involved parties, including our customers. We strictly follow policies and procedures to ensure the security, availability, processing, integrity, and confidentiality of customer data.
We conduct background checks on all new hires using reputable agencies to verify their criminal, employment, and education history. This is crucial to ensure that we only hire qualified and trustworthy individuals. No employee is assigned tasks that may pose risks to users until the background check process is complete. It’s one of the many measures we take to maintain a safe and secure environment for our customers.
As part of our employee onboarding process, new hires sign confidentiality and acceptable use agreements, then receive training on security, privacy, and compliance. Additional training is provided on relevant security topics if needed. We prioritize continuous education and awareness among our employees, updating employees on security practices through our internal community and hosting events to promote innovation and awareness in security and privacy.
Our security and privacy programs are implemented and managed by specialized experts who are responsible for maintaining and engineering our defense systems, as well as developing security review processes and continuously monitoring our networks for suspicious activity. Additionally, they offer engineering teams domain-specific guidance and consulting services to ensure the highest levels of security and privacy are maintained.
SAM.Coach issues workstations to employees that are installed with the latest Operating System (OS) version and equipped with anti-virus software to comply with security standards. To ensure compliance with our security protocols, all workstations are properly configured, patched, and monitored by SAM.Coach’s endpoint management solutions. These workstations are secure by design, employing encryption for data at rest, strong password policies, and automatic locking when idle. Additionally, mobile devices used for business purposes are enrolled in our mobile device management system to guarantee that they meet our stringent security standards.
Our network security measures incorporate multiple layers of protection to safeguard our infrastructure. We utilize firewalls to block unauthorized access and unwanted traffic from penetrating our network. To protect sensitive data, we segment our systems into different networks. Testing and development systems are hosted on a separate network from SAM.Coach’s production infrastructure.
We have a strict, regular schedule for monitoring firewall access, and a network engineer reviews all changes made to the firewall daily. The IT department monitors the infrastructure and applications for any discrepancies or suspicious activities. We continuously monitor essential parameters using our proprietary tool, and alerts are generated in the event of any abnormal or suspicious activities within our production environment.
SAM.Coach has implemented redundancy measures for all components of its platform. Our distributed grid architecture protects the system and services from server failures. In the event of a server failure, users can continue accessing their data and using SAM.Coach services without any interruptions. We also ensure device-level redundancy by utilizing multiple switches, routers, and security gateways, thus preventing single-point failures in the internal network.
To prevent DDoS attacks on our servers, we rely on technologies provided by reputable service providers. These technologies come with various capabilities for mitigating DDoS attacks, allowing legitimate traffic to flow while blocking malicious traffic. As a result, our websites, applications, and APIs remain highly available and responsive.
To ensure security during development and testing, all servers are configured with hardened security measures. This involves disabling unused ports and accounts, removing default passwords, and other security measures to enhance the system’s defenses. Additionally, the base OS image has built-in security features, which are provisioned onto the servers to ensure uniformity and consistency in the security of all servers.
To ensure that any modification or addition to our applications is authorized before deployment to production, we follow a change management policy. Our Software Development Life Cycle (SDLC) requires that we follow secure coding guidelines and review code changes for security concerns through code analyzers, vulnerability scanners, and manual assessments.
Our cloud framework is responsible for managing and distributing the cloud storage space for our clients. To ensure complete security and privacy of each customer’s data, the framework uses a set of secure protocols to logically separate it from other customers’ data. This ensures that no customer can access another’s service data.
When you use our services, your service data is stored on our servers. We want to reassure you that you are the sole owner of your data and SAM.Coach does not claim ownership. We have strict policies in place to safeguard your data and it will not be shared with any third-party without your prior consent.
During data transmission: To ensure the safety of our customers’ data when transmitted over public networks, we use strong encryption protocols. We require all connections to our servers, including web access, API access, and IMAP/POP/SMTP email client access, to use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers. This guarantees a secure connection by authenticating both parties involved and encrypting the data being transferred. Our email services utilize opportunistic TLS by default, which encrypts and securely delivers emails, protecting against eavesdropping between mail servers.
To maintain future data confidentiality, we have enabled HTTP Strict Transport Security header (HSTS) on all our web connections, instructing all modern browsers to only connect to us over an encrypted connection. Additionally, we mark all our authentication cookies as secure to provide an extra layer of protection.
When customer data is stored in our system, we encrypt it using the 256-bit Advanced Encryption Standard (AES) to ensure its security. The specific data that is encrypted depends on the services that the customer has chosen. We manage the encryption keys using our own Key Management Service (KMS), which provides an extra layer of protection by encrypting the data encryption keys with master keys. We store the master keys and data encryption keys separately in different servers with restricted access to enhance their security.
SAM.Coach retains your account data for as long as you continue to use our services, and we will remove it once you terminate your user account. The active database is cleaned up every six months, and data removed from it is then deleted from backups within three months. If your account remains inactive and unpaid for a period of 120 days, we may terminate it after notifying you and giving you the opportunity to back up your data. We take the disposal of unusable devices seriously and use verified and authorized vendors to carry out the process. We securely store the devices until they are disposed of, and any information they contain is erased before disposal. Failed hard drives are degaussed and physically destroyed with a shredder, while failed Solid State Devices (SSDs) are crypto-erased and shredded.
We keep a close eye on the information gathered from various sources, such as services, network traffic, and device usage, and record it in different log types including event logs, audit logs, fault logs, administrator logs, and operator logs. Our logs are analyzed regularly to detect any abnormal activities such as unauthorized access to customer data or suspicious behavior by employees. To maintain their security, these logs are stored on a secure server that is isolated from full system access and centrally managed for access control and availability.
SAM.Coach services provide detailed audit logs that cover all update and delete operations performed by the user.
We have implemented a vulnerability management process that involves both internal and external scanning tools, as well as automated and manual penetration testing. Our IT department also keeps a close watch on public sources for any potential security incidents that may impact on our infrastructure.
When a vulnerability is detected, it is logged and given a priority level based on its severity. The vulnerability is then assigned to an owner who is responsible for addressing it. We also assess any associated risks and track the vulnerability until it is fully resolved either by patching the affected systems or implementing the necessary controls.
We utilize an automated scanning system to scan all user files within the SAM.Coach ecosystem, with the goal of preventing the spread of malware. Our anti-malware engine is regularly updated with external threat intelligence sources, and it scans files against known blacklisted signatures and malicious patterns. Additionally, our proprietary detection engine, which incorporates machine learning techniques, adds an extra layer of protection for customer data against malware.
As part of our efforts to prevent spam, SAM.Coach supports Domain-based Message Authentication, Reporting, and Conformance (DMARC). DMARC uses SPF and DKIM to verify the authenticity of messages. We also leverage our proprietary detection engine to identify any abuse of SAM.Coach services, such as phishing and spam activities. Furthermore, we have a dedicated anti-spam team that monitors signals from the software and addresses abuse complaints.
Every day we perform incremental backups, and once a week we perform full backups of our databases. The backup data is stored in the same location and encrypted using the AES-256 bit algorithm, and we store it in tar.gz format. We keep all backed-up data for three months, and if a customer requests data recovery within that retention period, we will restore their data and provide secure access to it. The restoration timeline depends on the size of the data and the complexity involved.
To ensure the security of the backed-up data, we use a redundant array of independent disks (RAID) in the backup servers. We regularly schedule and track all backups. In the event of a failure, we initiate a re-run and fix it immediately.
We strongly recommend that you schedule regular backups of your data by exporting it from the relevant SAM.Coach services and storing it locally in your infrastructure to ensure the safety of your data.
SAM. Coach tracks and closes incidents with corrective actions, and implements controls to prevent recurrence. We notify affected parties with suitable actions and provide necessary evidence in the form of application and audit logs, where applicable. The company also implements controls to prevent similar incidents from occurring again.
SAM.Coach responds promptly to any security or privacy incidents reported to them through [email protected]. For general incidents, the company notifies users through blogs and social media. However, for incidents that are specific to an individual or an organization, SAM.Coach will notify the affected party via email, using the primary email address of the registered Organization administrator.
As per the Australian Privacy Act, we, as data controllers, are obligated to notify the Office of the Australian Information Commissioner (OAIC) of a data breach as soon as we become aware of it, and within 30 days, provide a detailed statement including the nature of the breach, the affected individuals, and the steps we have taken to address it. We also notify the affected individuals if their personal information is likely to result in serious harm, and as data processors, we inform the data controllers without delay.
At SAM.Coach, we value our customers’ security and strive to maintain a secure platform. To achieve this, we work closely with the community to verify and respond to any reported vulnerabilities. If you happen to discover a vulnerability, please report it to us via our website at https://sam.coach. Alternatively, you can directly email us at [email protected] to report any vulnerabilities. Our dedicated team will investigate and address the issue promptly to ensure the safety and security of our users.
Our vendor management policy requires us to assess and qualify our vendors before onboarding them. We assess the risk involved and understand their service delivery processes. Our commitment to confidentiality, availability, and integrity is reinforced by agreements with vendors that require them to maintain the same level of security we have promised to our customers. We periodically review the vendors’ controls to ensure they are working effectively.
Maintaining the security of your data is a perpetual goal of SAM.Coach, and it is your entitlement. We will persist in our efforts to ensure that your data remains secure, as we always have. If you have any additional inquiries about this matter, please feel free to contact us at [email protected].
This policy will be reviewed annually and updated as needed to ensure that it reflects the current state of website security practices. Any necessary revisions will be made promptly to reflect changes in the threat landscape or our business operations.