Data Security: Truss Platform

The Truss RTO Student Management System is managed and hosted by Truss Education Systems Pty Ltd ("Truss"). Truss operate our own hardware, in dedicated rackspace in the Vocus facility at 530 Collins St Melbourne.

We also host some services on Amazon Web Services in the Asia Pacific - Southeast (Sydney) region. If you are a Truss client, unless you have been told otherwise, your data is housed at 530 Collins St. Some archived data may be stored, encrypted with a key that only we hold, in Amazon's AP - Southeast (Sydney) region. This data is only accessible to us.

Security provisions by the vendor (Truss) are as follows:

  • Physical Security
    • The system is hosted on equipment owned by the vendor, and the only people with physical access are necessary staff within Truss, and the operators of the facility (Vocus)
    • Servers are deployed with at least 2N redundancy (meaning any single component failure won't affect availability)
    • All servers store data encrypted at rest (meaning even in the event someone was able to access the hardware without authorisation, dismantling it would not grant them the ability to extract data)

  • Firewalls and Network Security
    • All services are protected by very conservatively configured firewalls
    • Servers run with the necessary software only to minimise attack surface and exposure to third party vendor vulnerabilities
    • Network and software are designed to PCI-DSS 3.1 standards

  • Software Security
    • Truss deliver their software using a platform developed in-house (which reduces exposure to third party vendor vulnerabilities)
    • The software is designed to cover all key OWASP vulnerabilities by design, and includes extensive audit capabilities both for read and write access (it is possible to record all read accesses to every object in the database)
    • The architecture eliminates the ability for direct writes to data - everything passes through a validation and audit layer.

  • Audit Capability
    • Reads/writes to every object are logged
    • This means it is possible not only to identify the source of changes, but to keep records of who has seen which

  • Default Access
    • By default, Client staff have access to all records, and Truss support staff do also.
    • This access is logged, but Truss access is restricted such that it only works from inside Truss's offices. It is not possible to use Truss's credentials to access the system from outside without tightly-restricted company VPN access
  • Backup
    • Data is backed up on a continuous basis between redundant database servers, and to on-site and external storage
    • Off-site (encrypted) backups are taken periodically and retained securely
    • Clients have access at all times to take backups of key data (student, enrolment, and audit history) and we encourage them to do so regularly.


Data Security: Moodle

Truss also provided hosted Moodle instances, run from air-gapped servers within the same infrastructure as the Truss Platform.

Security provisions for our hosted Moodle instances are as follows;

  • Physical Security
    • As above

  • Firewalls and Network Security
    • All services are protected by very conservatively configured firewalls
    • Servers run with necessary software only to minimise attack surface and exposure to third party vendor vulnerabilities
    • Network is designed to PCI-DSS 3.1 standards

  • Software Security
    • Moodle instances are configured to allow access by the client only to the tools necessary to install and update plugins
    • Direct FTP access or direct database access are not granted under any circumstances
    • We recommend all clients familiarise themselves with good Moodle security practice as outlined at https://docs.moodle.org/39/en/Security

  • Audit Capability
    • Web server logs for Moodle instances are retained for 52 weeks
    • Moodle retains audit logs around changes to configuration

  • Default Access
    • By default, the client is granted one Site Administrator login
    • Clients are able to issue additional logins at any Moodle access level they like, and must be mindful of a sensible password policy
    • Student logins are enrolled only in courses directly linked to their Truss activity using accounts without password (Single Sign On access)
  • Backup
    • Moodle instances are snapshotted either manually or at a pre-determined frequency agreed between Truss and the client
    • Off-site (encrypted) backups of Moodle snapshots are taken periodically and retained securely
    • We recommend the client periodically take Moodle backups using its built in export tools and store them securely


Privacy Policy

YOUR PRIVACY IS IMPORTANT TO US

Truss Education Systems Pty Ltd ("us", "we", or "Truss") recognises the trust you are placing in us by providing your personal details and we are committed to the protection of your personal information. The Policy applies to and is adopted by all Truss employees, related entities and associated companies and contractors which are subject to the Privacy Act 1988.

 

WHAT PERSONAL INFORMATION TRUSS GENERALLY COLLECTS AND WHY:

Truss collects information in a number of different ways including directly, indirectly and through third parties. These include (but are not limited to) the following:

  • Website;
  • Email;
  • Social Media;
  • Over the phone;
  • In connection with competitions. 

Depending on your purpose for contact, the information we collect from you may vary. The information may include (but is not limited to) the following:

Your name, address, telephone number, email address, land details;

  • Credit card or banking details;
  • Details of interaction between you and Truss staff;
  • Feedback in relation to your experience with us.

If you provide Truss with direct debit or direct credit details, we will only disclose those details to our bank to facilitate the provision of that service.

Although we may use your personal information as stated above, we may also use your personal information for secondary purposes. We may communicate news, promotional offers or special events to you or we may use personal information for marketing, research, planning and product development purposes. We use this information to conduct our business, to provide and market our services, to communicate with you to provide or promote our services and to help us manage and enhance our services. Where you have consented to receiving these communications from us, that consent will remain current until you advise us otherwise. However, you can opt out at any time by contacting our Privacy Officer or by unsubscribing to our commercial electronic messages as set out below.

 

JUNK MAIL OR UNSOLICITED EMAIL

You will only receive emails from Truss if:

  • You subscribe to our Email Newsletters service. Our Email Newsletters will keep you informed of the latest offers, current promotions and news and events. If you no longer wish to receive Email Newsletters, you may unsubscribe by clicking the ‘unsubscribe’ option at the bottom of our email;
  • You request information about our services when you choose to contact us. You will not be added to a mailing list of any kind and will only receive e-mail in the matter that you have contacted us about;
  • You provide your details and request that we contact you when you send us your Resume;  or
  • They are otherwise relevant to the reasons for which we hold your email address, where we a re permitted to do so by law.

Truss will destroy information if the information could not have been lawfully collected by us if we had solicited it.  

 

SUPPLIERS

If you, or a company you work for, supplies goods or services to Truss, we may collect personal information about you in connection with the provision of those goods or services, either directly from you or from that company. This information may include your name, date of birth, contact information, and any other information you provide. This information will be used for the purposes of managing the provision of those good or services.


OTHER INFORMATION WE COLLECT

We may also collect the following information from you:

  • The fully qualified domain name from which you accessed our websites, or your IP address;
  • The date and time you accessed each page on our websites;
  • The URL of any webpage from which you accessed our websites (the referrer);
  • Cookies which track your visits to the our web sites; and
  • The web browser that you are using and the pages you accessed.

We use this information so that we can tell which pages are the most popular and where people spend most of their time. We use this information to improve our website. In some circumstances we may collect personal information about an individual from a third party, for example, to analyse traffic at our website.  If this information is linked with personal information we hold about you as set out above, this information becomes personal information and will be treated in the same manner as the personal information to which it has been linked.

 

ARE WE LIKELY TO DISCLOSE YOUR PERSONAL INFORMATION OVERSEAS? 

We may disclose your personal information to the following overseas recipients: 

  • other companies or individuals who assist us in providing services or who perform functions on their behalf (such as third party service providers and specialist consultants);
  • anyone else to whom you authorise us to disclose it; and
  • anyone else where authorised by law. 


HOW YOUR PERSONAL INFORMATION IS STORED AND KEPT SECURE

All personal information collected by Truss is held securely, whether on our physical files, in our computer systems or in a database (which may be hosted by Truss or a third party on our behalf). This information is only made available to Truss’s staff, contractors and third parties to a level that is necessary for them to perform their duties. 

We will use all reasonable endeavours to keep your personal information in a secure environment, however, this security cannot be guaranteed due to the nature of the internet. We take reasonable steps to protect personal information held from misuse and loss and from unauthorised access, modification or disclosure, for example by use of physical security and restricted access to electronic records. Where we no longer require your personal information we will take reasonable steps to destroy it. These measures are designed to assist in your personal information not being accessed by unauthorised personnel, lost or misus ed. If you reasonably believe that there has been unauthorised use or disclosure of your personal information, please contact us (contact details below).


ACCESSING YOUR INFORMATION                

In order to maintain the security of your personal information Truss may require you to provide proof of your identity before discussing any personal information and we may ask you to specify what information you require.  Ways in which we may ask you to provide proof of identity may include (but are not limited to) the following:

  • Photo identification 
  • Providing date of birth, address, telephone number or other particulars pertaining to your identity
  • Providing passwords or codes

All reasonable steps are taken by us to ensure that your personal information held by us is accurate, complete and up to date. If you believe that any of your personal information is inaccurate, please contact us (details below) and subject to the exceptions set out in the Privacy Act 1988, you may seek access to and correction of the personal information which we hold about you and we will take all reasonable steps to correct it within a reasonable timeframe. 

 

HOW YOU CAN MAKE A PRIVACY RELATED COMPLAINT?

If you have any questions about privacy-related issues or wish to complain about a breach of the Australian Privacy Principles or the handling of your personal information by us, please contact us (details below). We may ask you to lodge your complaint in writing. Any complaint will be investigated by our Privacy Officer and you will be notified of the making of a decision in relation to your complaint as soon as is practicable after it has been made (usually within 30 days). If you are not satisfied with our response, you can refer your complaint to the Office of the Australian Information Commissioner (details below).  


CHANGES TO OUR PRIVACY POLICY

This privacy policy relates to our current privacy standards. We may periodically amend our Privacy Policy in accordance with the Privacy Act 1988 and other relevant laws. It is your responsibility to ensure you understand our current Privacy Policy. The most current version of our Privacy Policy is located on our website and can be obtained by contacting our Privacy Officer. 

By using or subscribing to our services or by purchasing our products without written objection, you agree to Truss using your personal information in accordance with our Privacy Policy.

 

QUESTIONS OR COMPLAINTS 

Should you have any questions or complaints about our Pri vacy Policy, please contact us:

Privacy Officer
Truss Education Systems Pty Ltd 
GPO Box 986
Melbourne VIC 3001

P: 1300 221 475

For more information on privacy in Australia, please visit the Australian Commonwealth Government’s Office of the Australian Information Commissioner’s website at www.oaic.gov.au.