Access to customer data is restricted to authorised Sonocent staff who have a legitimate business need to access it. Where possible, access will be further limited to the specific data set required to fulfil the task assigned to them.
The Sonocent COO and CTO are accountable for the authorisation of access to customer data. Access can be modified or revoked at any time by the COO, CTO, or, by a delegated member of the Operations team.
The IT Team maintains a list of applications and databases that hold customer data and their corresponding business owners.
(ii) Resource Access Logs
Sonocent maintains logs of all interactions between systems (Human and other software) within its infrastructure and architecture. This includes, but is not limited to:
a. Successful and unsuccessful login attempts to external public facing systems
b. Internal authorisation attempts between internal and third party systems
c. Activities performed by users (Administrators and Users)
Logs are typically retained for 90 days and then expire. User audit logs may be retained for a longer period of time in line with Sonocent’s Data Retention Policy and legal requirements.
(iii) Reporting Access Violations
The Engineering team maintains a process for providing reports and alerts for unexpected or malicious behaviour, such as multiple failed login attempts for a single account, which may be evidence of a systemic attack on services within Sonocent’s infrastructure. Where Sonocent identifies such behaviour, and believes a security incident that may impact customer data has occurred, Sonocent will contact the customer using the email address provided or confirmed by the customer.
(iv) Password Management
Sonocent adheres to password management industry best practices. All Sonocent staff use a password manager to ensure credentials are secure. All devices and systems used to access customer data are secured with strong passwords, and where applicable, use two-factor authentication. In the event that a member of staff leaves Sonocent, their passwords are deleted, access revoked and accounts disabled.