IT FAQ's

SmartyGrants is a multi-tenant cloud platform provided as Software as a Service (SaaS) with the system and data being hosted remotely.

Accessibility

SmartyGrants public facing forms (i.e., on SmartyGrants applicant websites) have been externally audited and are compliant with the Web Content Accessibility Guidelines (WCAG) 2.0. 

As outlined by the World Wide Web Consortium, WCAG is a technical standard with 12 guidelines that are organised under four principles: perceivable, operable, understandable, and robust. For each guideline there are testable success criteria, of which are at three levels: A, AA, and AAA. 

During an audit conducted by Vision Australia, an AA level of conformance was attained in relation to WCAG 2.0. For Level AA conformance, the Web page satisfies all the Level A and Level AA Success Criteria, or a Level AA conforming alternate version is provided. 

People who are visually impaired may use the keyboard to move around a web page, as they are unable to see a mouse cursor on the screen, in conjunction with a screen reader. A screen reader program reads out the text on the page and announces the structure. Any issues that were identified as a result of the audit, including those relating to the use of screen readers, were remediated and we are now fully compliant in the context of that audit. 

Antivirus

Files uploaded into SmartyGrants by applicants or funders are scanned by antivirus software at the time of upload. They are only accepted if they are found to be clean. The antivirus software used is ClamAV. 

Architecture

SmartyGrants is designed to be highly available and fault-tolerant.  It operates on load-balanced application and database servers, hosted across multiple isolated AWS Availability Zones, each with their own redundant internet connections and backup power. 

SmartyGrants is a Java application running on Apache Tomcat, using PostgreSQL as the primary data store

Availability

SmartyGrants maintains 99.9% availability. 

Your SmartyGrants subscription includes updates and maintenance. Refer to the Support and Maintenance Policy (available on request) for how we manage Product Updates. 

Backups

A full encrypted backup is conducted daily by our AWS Managed Services Provider (MSP), stored at multiple locations. Database restore points are created every 5 minutes.  Backups are retained for thirty-five days, allowing the entire system’s data to be restored to a backup restore point within that timeframe. 

Customers have the option to download regular backups of their account for a small additional cost. 

Browsers

Refer to System Requirements / Timeouts for a list of supported browsers.

Data Science

SmartyGrants may access, aggregate and use Customer Data as input into our Data Science activities. However, we do not disclose information that identifies any individuals or organisations unless we have their express consent. Refer to our Privacy Policy for more information.  

Disaster Recovery

SmartyGrants employs 24x7 production system monitoring and alerting. In the event of an incident, the technical team are notified immediately so that remediation activity can begin. There are multiple backups of both data and system configuration available, which can be called upon at short notice. In the event of a data loss, we would restore the most recent backup available. 

For more information on SmartyGrants' Disaster Recovery policy and procedures, please see the Support and Maintenance Policy and the Disaster Recovery Plan, available on request.  

Denial of Service (DoS)

All infrastructure is hosted in a secure AWS compute environment in a segregated Virtual Private Cloud with strict traffic controls. 

All application web traffic is protected by an AWS Web Application Firewall to block malicious traffic, including automated rules to block traffic sources exceeding error rates or reasonable traffic volumes for key functions. User accounts are automatically disabled after 5 incorrect login attempts. 

SmartyGrants is built as a horizontally scalable Java application, allowing additional standby servers to be enabled in event of high traffic volumes. 

SmartyGrants is monitored 24x7 with Technical Support staff on call to investigate and deal with any unusual activity or high system utilisation.

Hosting

SmartyGrants engages a certified AWS Managed Services Provider (MSP) to manage the SmartyGrants AWS environment to manage our production systems, including 24x7 monitoring, network and operating system security, backups and patching. Refer to Third Party Service Providers document (available on request) for details. 

AU/NZ Accounts

The system is hosted by Amazon Web Services (AWS), and is physically located in Australia within the AWS Sydney Region. 

We also utilise AWS’s cloud based file storage system, AWS S3. All files stored within AWS S3 are located on servers controlled and managed by Amazon and are physically located in Australia. Your account does not have an overall storage limit. 

UK/Europe Accounts

The system is hosted by Amazon Web Services (AWS), and is physically located in the United Kingdom within the AWS London Region.

We also utilise AWS’s cloud based file storage system, AWS S3. All files stored within AWS S3 are located on servers controlled and managed by Amazon and are physically located in the United Kingdom. Your account does not have an overall storage limit.

Network Controls

SmartyGrants servers are isolated from the internet within an AWS Virtual Private Cloud, with network restrictions in place to control traffic from the internet and between individual servers.  They are accessible for administration only from a white-list of locations. All network access to SmartyGrants and between servers is encrypted.

Password Policy Options

By default, SmartyGrants passwords must be 8 characters long and include a mixture of uppercase letters, lowercase letters and non-alphabetical characters. 

Customers may request additions to the password policy for their manage users, including: 

• Customising the minimum password length 

• Requiring numbers to be present in the password 

• Requiring non-alphanumeric characters to be present in the password 

• Passwords that expire after a specified number of days, requiring users to change their passwords 

• Defining a number of unique passwords that must be used before a previous one can be re-used 

Please contact us if you require changes to your password policy. 

Privacy & Data Breach

If we collect, handle and disclose Personal Information, we will do so in accordance with Privacy Legislation and our Privacy Policy. For further information on SmartyGrants' Data Use Policy  refer to the Privacy Policy, Sections 4-7. 

For how SmartyGrants responds to a security incident (data breach) please see the Privacy Policy and our Incident Response Plan is available on request.

Security

SmartyGrants is ISO 27001:2022 certified.

Scope: SmartyGrants, an enterprise of Our Community, is a Software as a Service (SaaS) grants management system that allows grantmakers to manage, track and optimise their grant programs. The scope of this certification applies to SmartyGrants products and services, and relevant parts of Our Community’s business relied upon to support the operations of SmartyGrants 

SmartyGrants uses the Spring Security framework to manage authentication and web sessions. Sessions are identified by cookies, and measures are in place to reduce the risk of cross-site request forgeries, SQL injection and cross-site scripting attacks. 

User credentials stored in the database contain only hashed/salted passwords, no plaintext or encrypted passwords. 

Each customer of SmartyGrants is assigned an 'isolation ID' which uniquely identifies their data, and segregates each record within the database. The system will not retrieve data if the isolation ID does not match. 

All servers and the primary database utilise file-system encryption.  Files stored on AWS S3 are encrypted using AES-256 and each SmartyGrants customer has a unique encryption key. 

All network access to SmartyGrants and between servers is encrypted using HTTPS (TLS 1.3 by default, TLS 1.2 is supported for older browsers). 

SmartyGrants is built with reference to the OWASP Top 10. Penetration tests are conducted each calendar year by independent third parties. The latest Penetration Test Summary can be shared on request. We are happy to facilitate penetration testing by customers. Any serious vulnerability is swiftly resolved.

Customers and users of SmartyGrants can raise any security concerns or report vulnerabilities by contacting us.

For further information on SmartyGrants' Security Policy please see the Support and Maintenance Policy, available on request.

More Information

If you need more information about the technical aspects of SmartyGrants, including infrastructure and security, we have additional documentation we can provide. You may request reference documentation by contacting us.