Security FAQ

This article answers frequently asked questions relating to licenses, data, security, regulations and privacy, storage, data integration and more.

Licenses/Access/Users

1. How is licensing managed - by the user, concurrent connections, or by consumption of services?

By the consumption of FitMachine Services.

2. How is the MOVUS system accessed?

The MOVUS customer dashboard is accessed by web Browser. There is also a Mobile App (android and iOS) for self-installation of the FitMachine hardware. A bi-directional REST API provides access for integration with other business processes.

3. What are the standard ports required for functionality?

To access the Dashboard or communicate with the REST API, port 443 is required. Where FitMachine hardware is installed on a local WiFi network outgoing access to port 443 is also required.

4. What are the connectivity options between MOVUS FitMachine sensors and the MOVUS MachineCloud?

When on-boarding, individual sensors can be configured to communicate to the platform via a customer's local WiFi network, or via a MOVUS 4G cellular Gateway.

5. What options are available to control access at the end-user level?

Role-based access is implemented per customer.

6. What options are available to control access internal to the cloud infrastructure?

No customer access is provided to the cloud infrastructure. MOVUS operations access is controlled by AWS IAM accounts and policies.

7. What approach does MOVUS take to audit stale accounts?

Quarterly audit of stale accounts (not accessed within 90 days).

8. Are there any 3rd party license needs for implementation?

No.

 


Data

1. Are data stored in the MOVUS system on shared infrastructure? How does MOVUS ensure customer data is kept separate from other customers' data?

As a multi-tenant SaaS Application, we store data for all customers in common stores within Amazon Web Services (AWS). For security and system performance reasons, we store customer and user data separately from machine data, on separate types of AWS databases. We distinguish each customer's data based on the relationships defined in the database schema and all access to the data is controlled by our API, ensuring customers can only access their own data. Customers do not have access to any other customers' data of any kind nor do they have direct access to the data stores.

2. Describe the level of sharing amongst other tenants. (CPU, Hardware, network, storage)

All our customers (tenants) share processing, storage and associated network infrastructure. AWS manages the available resources, based on demand.

3. Does the customer maintain data ownership of the content in the MOVUS system on termination?

Yes - please refer to the MOVUS End User Licence Agreement (EULA).

4. What happens to MOVUS services as a customer's business and data volume grow?

Our service is supplied via AWS global infrastructure, which is highly scalable. No changes will be required to accommodate customer expansion. No advance notice of customer expansion is normally required. There are no penalty costs involved for either expansion or contraction of service volume.

5. Where is MOVUS data housed?

All customer data are currently stored by AWS in Sydney Australia across their 3 data centres.

 


Security

1. What security systems and versions does the MOVUS system use? (i.e. Malware/virus protection on servers and workstations, firewalls, IPS/IDS.)

The MOVUS Service is provided using various AWS Serverless products. We rely on AWS to keep the underlying resources secure.

2. What is MOVUS' approach/policy regarding proactive security monitoring?

AWS Provide extensive metrics covering all aspects of the operation of the resources used to deliver the MOVUS Platform. The current operational monitoring covers performance metrics as well as failure, authentication and bad request metrics.

3. How is the MOVUS environment monitored for potential information security events?

All access to the platform is via our API. We monitor failed or bad API requests and authentication failures. If any of these metrics fall outside of the current normal operating range it is investigated as a possible security threat.

4. Is data stored in the MOVUS system encrypted? If so, what encryption technology is used?

Stored passwords are hashed with a randomly salted bcrypt algorithm. All time-series data that we collect is encrypted at rest using AES-256.

5. Is all customer data encrypted before being sent to the cloud, and what protocols do you use (TLS, etc.)?

All data is encrypted in transit using TLS1.2. This includes all requests, responses, uploads and downloads.

6. Is security management and security monitoring provided 24x7x365 by security experts?

Our security management and monitoring are provided by our in-house experts.

7. Are external threat feeds and third-party intelligence sources integrated into your customer cloud services?

Yes, indirectly via AWS resources.

8. How secure are your premises from which MOVUS services are provided?

All systems are hosted by Amazon Web Services. As an AWS customer, we have no
physical access to AWS data centres. Please refer to
https://aws.amazon.com/compliance/data-center/

 


Global Regulations & Privacy

1. Does MOVUS ensure it is compliant with international data privacy and security regulatory requirements?

Yes. As the service supplier, MOVUS is responsible for compliance with international data privacy and security regulatory requirements. We collect and store only the minimum amount of personal data needed to manage customer and user accounts, and handle it in accordance with our corporate Privacy Policy.

 


Backups/Storage/Logging

1. How are MOVUS backups managed?

All backups are managed by AWS based on schedules defined by MOVUS Operations. We maintain snapshots indefinitely and can provide point-in-time restores for up to 35 days.

2. What is the average recovery time from a backup?

Restoration using the 'point-in-time' restore method typically takes several minutes. Restoring time series (sensor) data using the 'snapshot' method can take several hours, however, the MOVUS Platform is fully functional while the restoration is taking place.

3. Where are MOVUS backups and data stored?

The backup storage location is AWS-dependant and based on where the live data is stored. Currently, this is in Sydney, Australia until we deploy to additional AWS regions.

4. Can you describe the data backup strategy for the MOVUS system?

We have scheduled backups/snapshots that are stored indefinitely, transitioning to AWS S3 and then to various archival storages as required. There are also continuous backups used to support point-in-time restore.

5. What redundancies and disaster recovery strategies are in place to maintain the service?

AWS provides redundancy across all the products we use both within and across data centres. We have backup and recovery processes that have successfully rebuilt our service platform in a DR test.

6. Is there a SOC report for the data centre where the application and data are being stored?

Yes, provided by AWS. please refer to https://aws.amazon.com/compliance/soc-faqs/

 


Vendor System/Platform

1. What browsers are supported by the MOVUS system?

Our standard user interface is a WebApp that has been successfully used with various Application and Desktop virtualisation tools. The WebApp itself is tested across multiple browsers and operating systems including Windows, Linux, MacOS, Android, iOS, iPad OS, Internet Explorer, Microsoft Edge, Firefox, Chrome Browser and Safari.

2. What is the frequency of the patches and upgrades to the system?

MOVUS runs a continuous integration and deployment system allowing us to deploy to platform hotfixes, patches and upgrades as frequently as several times per day. Where there are changes that directly impact customers these may be pre-announced via email.

 


Data Integration

1. Please describe the MOVUS Web Services capability.

MOVUS provides a REST API for customer use. This API is used by our WebApp and Mobile App to interact with the Platform. In addition, customers can configure various real-time data streams for sending data to external message processing or stream processing services.

2. Describe the availability of standard Web Services.

Our REST API is used by the WebApp to implement all its features. Consequently, customers are able to use the API for any of those functions from user management to updating asset information, retrieving asset status and downloading sample data.

3. Can the MOVUS REST API be integrated into a customer's Integration platform?

Yes. The MOVUS REST API (including the resource tagging features) and streaming services provide the building blocks for many types of integrations. We can assist customers to integrate the MOVUS system into their environment.

---

Thanks for reading. If you have any questions or concerns, please reach out to MOVUS Support here.