Security Policy

Artlogic implements technical and organisational measures to protect client data against unauthorised access, loss, and misuse. These measures combine platform-level controls available to clients with internal operational and security practices.

 

Overview

We design our systems to ensure that:

• Only authorised users can access data

• Data is protected during transmission and storage

• Changes to data are logged and traceable

• Data can be recovered in the event of error or incident

• Systems are resilient and monitored

Clients retain control over user access and permissions, while Artlogic manages the underlying infrastructure and operational processes.

Technical and Organisational Measures (TOMs)

The following measures describe the controls implemented to protect client data.

1. Access Control

Artlogic Platform Controls (Client-Configurable)

Configurable user permissions controlling:

• Data visibility (e.g. financial information)

• Available user actions (e.g. exporting data, communications, reporting)

• Optional IP-based access restrictions

• Two-Factor Authentication (2FA) available using authenticator applications

Artlogic Platform-Enforced Controls

• Protection against brute force login attempts

• Logging of all connections to the system

Artlogic Organisational Controls

• Access to systems limited to authorised personnel supporting or maintaining the platform

2. Authentication & Account Security

Artlogic Platform Controls

• User authentication via username and password and optional two-factor authentication measures

• Secure handling of authentication processes

Artlogic Organisational Controls

• Internal access credentials restricted to Artlogic-controlled environments

• Access removed upon role change or departure

3. Data in Transit

Artlogic Platform Controls

• Encryption of data in transit via HTTPS

• 256-bit encryption used to secure connections

4. Data at Rest

Artlogic Platform Controls

• Encryption of data at rest

• 256-bit encryption used to encrypt disk storage

5. Data Protection & Backups

Artlogic Platform Controls

• Daily backups of client databases

• Backup replication to:

• Separate infrastructure

• Different networks and providers

• Backups retained for a minimum of 90 days

• Clients can export their data

Artlogic Organisational Controls

• Backup processes managed by Artlogic

• Controlled access to backup systems

6. Infrastructure & Resilience

Artlogic Platform Controls

• Use of enterprise-grade cloud infrastructure (Google Cloud Platform, Amazon Web Services and Microsoft Azure)

• Data replicated across multiple servers

• Use of Content Delivery Networks (CDNs)

Artlogic Organisational Controls

• Infrastructure managed by authorised personnel

• Operational observability

7. Recovery Services

Artlogic Platform Controls

• Restoration of deleted or modified data

• Recovery from historical data states (days, weeks, or months)

• Recovery processes designed to avoid service downtime

Artlogic Organisational Controls

• Recovery actions performed by authorised staff

8. Logging & Audit

Artlogic Platform Controls

• Logging of all connections to systems

• Record-level modification history for key data

• Audit data retained for a minimum of 90 days

Artlogic Organisational Controls

• Logs can be reviewed and used to investigate activity

9. Preventing Unauthorised System Access

Artlogic Platform Controls

• Measures in place to reduce exposure to common attack methods

• Controlled access to system environments

Artlogic Organisational Controls

• Full server access restricted to senior staff only

• External security consultants engaged to review system security

10. Support Access

Artlogic Platform Controls

• No unrestricted public or anonymous access to client systems

Artlogic Organisational Controls

• Support access provided only where necessary

• Access limited to trained staff

• All staff subject to confidentiality agreements

• Support access credentials restricted to Artlogic networks

• All access is logged

11. Data Control & Client Responsibility

Artlogic Platform Capabilities

• Clients control user access and permissions

• Clients can restrict access by network (IP restrictions)

• Clients can export their data

Client Responsibilities

• Managing user accounts and permissions

• Enabling appropriate authentication controls (e.g. 2FA)

• Removing access for former staff

12. Service Model Considerations

Artlogic Platform Approach

• Centrally managed, hosted database system

• Continuous system monitoring and maintenance

Risk Context

Managed SaaS infrastructure reduces risks associated with:

• Local system failures

• Lack of backups

• Uncontrolled internal access

13. Experience & Operational History

• Database systems in operation since 1994

• Hosted platform available since 2006

• Experience supporting a range of organisations