Security

Notify is built for the needs of government services. It has processes in place to:

  • protect user data
  • keep systems secure
  • manage risks around information

Data

On Notify, data is encrypted when it passes through the service. All data stored in Notify databases is encrypted at rest to prevent unauthorised access.

Any Notify data you upload to our service is only held for 7 days.

Data Protection

Notify complies with the data protection guidelines outlined in the Privacy Act 1988 (Cth). To make sure it stays compliant, there are regular legal reviews of the service’s:

Technical security

Other technical security controls on Notify include:

  • protective monitoring to record activity, and raise alerts about any suspicious activity
  • using JSON Web Tokens, to avoid sending API keys when your service talks to Notify

User permissions and signing in

You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of the service.

Two-factor authentication

To sign in to Notify, you will need to enter:

  • your email address and password
  • a text message code that Notify sends to your phone

If receiving text messages at work is a problem for your team, contact us about using an email link instead.

How we manage risks on Notify

Things we do to manage risks on Notify include:

  • regular updates to the Privacy Impact Assessment
  • security impact assessments

Your security obligations

As a user of Notify, you understand and accept the following:

  • you must ensure the Account Administrator and all members keep secure, and not share, any login details for your User Account.
  • you are responsible for ensuring the regular maintenance of any data uploaded to Notify. This includes, but is not limited to, activities such as removing inactive or unresponsive numbers from your uploads and keeping your information up-to-date and accurate.

For further information on your security obligations, please see our Terms of Use.

Security audits

Notify is regularly audited for vulnerabilities at source code level by the internal DTA Security Team. A full audit will be completed prior to the Live release. Any security bugs that are raised during audits are fixed and deployed in a timely manner.

Status and incident updates

The current status of the Notify site can be viewed at https://status.notify.gov.au/. We publish our service availability in real time. If there is downtime for any reason, an incident will be raised on this site with regular updates until the service is restored.

Monitoring

Notify is continually monitored by a range of tools that immediately notify the team of any errors or changes to performance that could affect the Notify service.

Open source

In line with the Digital Service Standard, all code behind Notify is open source and available on our GitHub repository.

Protecting sensitive information

Some messages include sensitive information like security codes or password reset links. If you are sending a message with sensitive information, you can choose to hide those details on the Notify dashboard once the message has been sent. This means that only the message recipient will be able to see that information.

Classifications and security vetting

You can use Notify to send messages classified as ‘OFFICIAL’ or ‘OFFICIAL: Sensitive’ as outlined in the Protective Security Policy Framework.

You must not use Notify to send sensitive information, as defined in the Privacy Act 1988 (Cth).

The Notify team has Baseline vetting as the minimum personnel security vetting standard.

Raising issues or providing feedback

Anyone can raise an issue or provide feedback for Notify. You can contact us at notify-support@dta.gov.au to:

  • report a bug
  • request a feature
  • raise a security concern
  • provide feedback

Our service standard to responding to raised issues is 48 hours. We will endeavour to address critical issues as soon possible, dependent on resourcing restraints.

We appreciate all feedback and/or suggestions. Notify is an agile development, which means it evolves in response to the needs of its users. If you have any feedback or questions relating to this document (or any other Notify matters) please email notify-support@dta.gov.au.



Updated: 11/06/2020