Shared Responsibility

Overview

Security and compliance is a shared responsibility between Datalink, its vendors and the customer.

This model alleviates much of the customer’s operational security burden as Datalink and its upstream vendors (such as AWS) take care of the security of the cloud and the platform, leaving the customer to be responsible for security within their own instance of Crisisworks.

Details

The shared responsibility model is as follows.

AWS is responsible for “security of the infrastructure”

Datalink uses Amazon Web Services for its infrastructure.

AWS is an Infrastructure-as-a-Service provider, and is responsible for protecting the infrastructure and all its services in the AWS Cloud.

This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

AWS provide certifications that their infrastructure and business practices are compliant with the information security needs including ISO 27001, SOC 2 and IRAP.

Datalink is responsible for “security of the platform”

Datalink is a Platform-as-a-Service provider, with Crisisworks being its platform.

As such it develops its software and configures its AWS infrastructure to host its platform.

Datalink is responsible for the security of its own software, the configuration of the infrastructure that runs the software, and the provision of related services such as its service desk operation.

Datalink acts as a processor of the customer information it holds.

Datalink has various assurance programs including ISO 27001 and controls such as penetration tests, business continuity, information backup and disaster recovery to maintain the security of the information it holds and processes.

The Customer is responsible for “security in the platform”

Each customer is allocated its own instance of the platform where it can independently configure parts of the system, store its data and authorise its users to access the data.

The customer is responsible its conduct within its own instance, as well as security decisions made by its users.

For example, customers can control the creation of events, positions, competencies as well as grant users authorisation, set policies for acceptable behaviour and so on. Its users can access data based on authorisation decisions made by customer administrators.

The customer is responsible for the conduct, training, monitoring and decisions of its users within the platform.

The customer owns its data, and is responsible for ensuring its users follow practices in line with its own privacy and information security obligations.