Plan: Available: All plans
Users: Available: All users
Practice Management Source: Available: All sources
The FYI platform has been developed using best-practice architecture for security, reliability and long-term scalability.
Certification
FYI has achieved OWASP grade security, has been certified by the ATO as a Digital Service Provider, and is certified for ISO 27001, an international standard for information security management.
Data Security
Data Encryption
FYI encrypts data both in transit and at rest. This ensures your information is safe when it is sitting idle on the Amazon Web Services (AWS) servers or being accessed in transit via the FYI application. FYI has also taken the additional step of allocating separate encryption keys to each subscription, ensuring that each accounting practice has its own layer of protection from unwanted or illegal access.
Authentication
Rather than creating an authentication layer requiring yet another username and password, FYI leverages the Microsoft Windows user authentication to identify users when logging in. Microsoft is trusted globally by millions of people for its high standard of security and reliability. To log in to FYI, a user only needs to use their Microsoft 365 username and password. Therefore, what is enabled for Microsoft 365 in terms of authentication applies to FYI. We support 2FA when implemented as part of Microsoft 365.
The decision to have multi-factor authentication (MFA) depends on the administration of Microsoft 365 by the administrator. In order to apply MFA authentication, please follow these instructions provided by Microsoft.
Please note it is the responsibility of your IT team to implement policies around employee devices, including approving devices and unauthorised access. For any queries, please refer to your IT administrator.
Security Assessments
FYI engages external consultants to perform annual security assessments, including penetration tests.
Privacy
FYI complies with both Australian and UK privacy laws.
Access and Permissions of an FYI Admin
An FYI Admin user has access to all FYI functions and access to all documents, including where Security has been enabled for a client (refer to Client Security). This access and permission level includes the ability to bulk export client documents from FYI.
FYI recommends regularly reviewing your FYI Admin user list and adjusting as needed.
Data Ownership
At all times, you retain complete ownership rights of the content you upload to FYI. Your practice always owns your data.
If you want to leave at any time, an FYI Admin can request that your account be deleted from Practice Settings - General - Account. A member of FYI will get in touch with you to facilitate the export of your data. Refer to Deleting your FYI Account.
Hosting and Reliability
AWS Well-Architected Framework
FYI has been designed using the AWS ‘Well-Architected Framework’, ensuring that the solution is secure, high-performing, resilient, and makes the most efficient use of the AWS infrastructure. Through this partnership and regular technical review with AWS, FYI can guarantee high availability, data redundancy and government-grade security.
Hosting
For Australian and New Zealand clients, data is stored and backed up in Amazon’s AWS data centres in Sydney. For our UK clients, the data is hosted in AWS's London data centres. AWS is ISO27001 compliant and provides inbuilt, offsite backups, disaster recovery, multiple sites synchronisation and more. As we become a global provider, we will host FYI in the UK and the US.
Each practice’s documents are stored in their own discreet store within AWS. The documents for every practice are encrypted using a unique set of public/private keys to ensure no other practices can access unauthorised information.
Our in-app tool, FYI Guide, is powered by Userpilot. The Userpilot Platform is hosted with AWS, by default in the USA and upon request in the EU (Paris). For more information about Userpilot’s data security and privacy practices, refer to Userpilot Security and Userpilot Privacy Policy.
Our Forms feature is powered by Syntaq’s advanced forms engine. The FYI Forms service is hosted in Australia, within a dedicated Microsoft Azure environment purpose-built for forms processing. This facility complies with ISO27001 security standards and ASIO T4 intrusion detection requirements. When a Form is created, data is stored securely and only retained temporarily within this environment. When a Form Workflow state is selected as 'Finished', the form will be automatically converted to PDF and the original form will be permanently deleted from FYI and the Syntaq engine.
24-7 Protection
FYI works with AWS to have the most up-to-date monitoring and defences against ‘denial of service’ attacks and the like.
Availability and Service Levels
Since our beta launch in November 2019, the total time we have been offline is 7 mins. This downtime was caused by the Microsoft authentication service being offline. This represents the industry's absolute best practice of 99.9% availability.
Regular Load Penetration and Testing
As part of the regular software development life-cycle, FYI is routinely load tested to prove it can scale to host the billions of documents required. FYI also undergoes regular penetration testing to identify and eliminate any potential security weaknesses.
Data Storage Space
The licensing of FYI depends on your FYI plan. But as a summary, each user on our document management plans is entitled to 50 gigabytes of data. For disk space in excess of each plan, we charge an extra $5 per user per month for an additional 50 gigabytes for every user.
Data Backup and Recovery
Backup
Your data is dynamically backed up by Amazon (AWS) as part of their core service. Amazon provides built-in off-site backups, disaster recovery, multiple sites sync, etc. These backups include everything within the FYI platform, including Templates, Automation Processes, Tasks, etc.
Backups are performed by AWS Aurora, which creates continuous and incremental backups of the FYI database, allowing for point-in-time restoration. The restored data is retained for 14 days.
We also provide the ability for practices to manually perform a Bulk Export of their document data locally. Refer to Bulk Export AWS.
Your historical metadata is maintained in the FYI database for 30 days, and we maintain document logs permanently. Deleted documents remain in a restorable state unless permanently deleted by one of your FYI Admins. Permanently deleted documents in FYI cannot be restored.
We store a new version of every document you save. This means you can always restore a document back to a prior version, as long as the changes were saved from within FYI. Backups are continuous, and FYI is able to restore to a point-in-time at any point during the retention period.
Forms
Forms configuration is backed up for 7 days. Form records are backed up as part of FYI’s existing backup and recovery services. Data is retained for different stages of the form lifecycle. When a form is created, a record is generated in the Forms service and stored while the form is being completed. Once a form is submitted, the data is securely transferred into your FYI platform. The data is retained temporarily within the FYI Forms service.
Location of Backup storage
Documents and Backups are retained in AWS data centres in the relevant region. Australian and New Zealand data is stored in Sydney, and UK data is stored in London.
Restoration Tests
Backups are officially tested every 6 months as part of our ISO 27001 compliance. Results are retained on AWS servers.
Verification of backups is performed monthly as a part of our system audit. Restoration test results are not available publicly.
Disaster Recovery
Your data is being replicated to multiple data centres and backed up in case of disaster. In the case of a Disaster Recovery event, the maximum period of modified data that could be lost is 5 minutes. The maximum time expected to restore data and service is 30 minutes. FYI’s Disaster Recovery is tested on a quarterly basis.
Bandwidth utilised by FYI
FYI does not require any more bandwidth than you expect from similar functions using SharePoint. FYI does not use any specific port.
Note: The "health" of each user's OneDrive does impact the usability of FYI. If the user's OneDrive is syncing other folders, then FYI key workflows such as editing office documents can be affected.
Support
FYI Support is offered during AEST business hours for Australian and New Zealand clients, and during GMT business hours for UK clients. FYI Support guarantees responses within a maximum of 2 hours.
If you have submitted a query to the Support Team, the team may need to log into your FYI database to investigate further.
A new user account will be added to your list of FYI users under Practice Settings - General - Users. These users can be identified by the name of the Support agent (look for "(FYI)" after their name). The user's email address will contain "fyidocs.com" or "fyi.app".
This access is only temporary while they investigate your issue and will be removed at the end of each day. The account has limited access relating to Microsoft Office, Outlook and OneDrive, as it does not have all the functionality of a regular Microsoft 365 account. The account will be unable to file emails from Outlook to FYI, edit documents directly from FYI or preview documents via OneDrive.
The FYI Support user account will not be added to your licences, and will not increase your fees.