FAQ

Who is Planit Testing?

Planit is a software testing services and product company. We are the leaders in AU & NZ in providing services in the test and QA space. We are an ISO 27001 organisation with over 300 ongoing clients and have a global presence in AU, NZ, UK, India, Philippines. Planit is part of the wider NRI group.

Will Planit collect or process or store consisting of Personal Information and/or PII (Personal Identifiable Information) or other sensitive information?

Yes – although very basic. Client names are all de-identified and not used throughout our User tables and Data Store. We only collect names and email addresses for the purpose of logging into the system. We don’t store any further personal information.

Does Planit rely on other 3rd party service provider to provide services (e.g. AWS, Azure etc.)?

The DoT application is built and hosted in AWS. The codebase is stored on GitHub.

Does Planit review DoT for security vulnerabilities and address any issues prior to deployment to production?

Yes - we use automated security analysis for backend & frontend software dependencies, static code security analysis performed on all changes for the backend data platform. We perform Penetration Testing on every major release. Additionally, we perform periodic Security Reviews.

Are the findings of these audits prioritized and remediated in a timely manner based on their risk?

Yes – we review all findings and build a remediation plan based on the risk of the findings, which is validated by our Security team.

Does the organisation have a plan or framework for business continuity management or disaster recovery management?

Yes. Our Disaster Recovery Plan (DRP) includes the following:

• As part of ISMS implementation activities, Planit has developed and maintains a detailed DRP and capability, to ensure that Planit can maintain its activities in the face of disruptive challenges.
• Covers corporate business-critical systems utilised globally in Planit.
• Supports Business Continuity.
• Is updated on annual basis and DR tests occur annually for business-critical systems.
• The primary purpose of Planit’s DRP is:
  • To Establish Planit Information Technology and Security Disaster Recovery Framework (IT and Security DR), to support business resilience.
  • To support ISMS/ISO 27001 implementation activities and satisfy ISO27001 certification requirements.

Is data periodically backed up with the confidentiality, integrity, and availability of backup data ensured?

Yes - AWS S3 and DynamoDB are backed up with AWS Backup, and we store raw incoming data in S3 buckets to enable regeneration in our main data storage.

Backups are performed every day & retained for six months. In addition, DynamoDB can be restored via point-in-time recovery rather than on a fixed daily backup.

The backup restoration process is periodically tested.

Does Planit have a retention policy? How long does Planit retain the our data involved in DoT?

Yes. Data is currently held for 24 months. This can be altered on request.

What procedures are in place to test and remediate problems before changes are deployed to production?

We utilise GitHub Actions as a continuous deployment pipeline to deploy builds across various environments. Each environment has a different purpose for testing.

We also have hundreds of automated unit, integration and end-to-end test cases, which are executed in each environment, before a build reaches production.

Additionally, we implement feature flagging so changes to production are subjected to rigious User Acceptance Testing (UAT) before going live.

Does Planit have procedures in place to ensure production data shall not be replicated or used in non-production environments?

This is achieved by all production resources being in a separate AWS account to non-prod resources with no permissions that allow interaction between prod and non-prod accounts.

What is the data flow associated with the service?

There are two key interfaces to understand in terms of data:

1. How a user accesses the application:
2. How data is ingested into the DoT Backend:

Do you encrypt tenant data at rest (on disk/storage) within your environment and in transit over the internet?

Yes. All data stored in encrpyted at rest and communication between services occurs over secure HTTPS connections.

• DynamoDB
  • DynamoDB-managed key: AES-256
• S3
  • Server-side encryption with Amazon S3 managed keys (SSE-S3): AES-256
• Amazon OpenSearch Service / RDS
  • AWS KMS managed key: AES-256-GCM
• CloudWatch Logs
  • Server-side encryption provided by AWS

All encryption keys involved in production are managed by AWS/

This means we can’t directly manage everything about the key, but also guarantees yearly key rotation and ensures that keys cannot be used by another AWS account.

Are all personnel required to sign NDAs or Confidentiality Agreements as a condition of employment to protect customer/tenant information?

Yes - we are ISO 27001 complaint, and have strict policies around client data.

Has Planit implemented the necessary measures for the appropriate isolation and segmentation of tenants’ access to infrastructure system and network components, in adherence to established policies, legal, statutory, and regulatory compliance obligations?

Yes - the tenant name is obfuscated in our main data store, and can only be accessed via one table in a separate database. A tenant index is assigned and all tenant data is stored using this index. At no point is any identifiable data assessed or processed between tenants.