Your data and our systems are protected and resilient by design

FAQ Bot is built and managed by Theta. Theta is a trusted New Zealand based IT consultancy and product development company with strong governance in everything we do. Our dedicated cyber security team works with the FAQ Bot product team to ensure the best protections are in place for security and data privacy.

ISO 27001 security standard compliance

A close-up of a sealDescription automatically generated

Theta is certified as compliant with ISO 27001, the gold standard in information security management. This extends to all our products, including FAQ Bot too.

Robust data centre security

The FAQ Bot application is a SaaS web application hosted in Microsoft Azure data centres in Australia. This means that it inherits all the security controls available in Microsoft Azure, such as physical security of the data, disaster recovery and encryption. We use the Azure security best-practice controls and continuously monitor the application for confidentiality, integrity, and availability. All FAQ Bot Azure private resources comply with Azure’s built-in audit for ISO:27001:2013 security controls.  

Multiple layers to protect your data

All FAQ Bot data is encrypted in transit and at rest.  The web facing components of FAQ Bot are further protected by the Cloudflare Web Application Firewall. Cloudflare’s CDN and WAF help shield us from DDoS attacks as well as preventing a range of common exploits.

FAQ Bot accounts can optionally make use of Microsoft Office 365 logins. This enables multi-factor authentication via Microsoft’s login controls if enabled (recommended). 

Secure development and scanning

Our Secure Development methodology ensures we build, test and maintain secure products. This means that FAQ Bot is regularly tested to ensure it is free from common vulnerabilities, including those described in the OWASP Top 10.   

All code is scanned at the time of compilation and 3rd party libraries checked to ensure no known security issues are introduced.  Regular, automated scans with a PCI-accredited security scanning solution provide external assessments of the solution on a regular cadence, alerting in the case any problems arise.  

External automated attack surface monitoring scans are run weekly using Glasstrail to look for any new issues.  In addition to automated scans, we have completed multiple, independent penetration tests on the product including the website and mobile apps.

Enterprise-grade privacy controls

FAQ Bot has strong built-in controls that help you manage the privacy of data you collect. This includes: 

·      Data retention – we provide full control over data retention. Customers can choose specific retention policies to align with their needs – e.g. you can specify a 30-day retention for chatbot interactions and a 90-day retention for live chat.

·      Block list words/terms – you can add certain words to a block list so that if a member of the public uses them in communications with you, your staff are not exposed to that word/term.

·      Control over what is collected - we give customers control over what data that is collected, so only the necessary amount of data is collected.

·      Admin access – fine grained security roles in the platform let you grant access to people for specific roles. We support Microsoft O365 logins for FAQ Bot accounts which means easier onboarding and offboarding when people leave your organization. 

Our policies

The FAQ Bot Privacy Policy and Terms and Conditions  outline our security and data privacy settings and obligations.  

Need a PDF copy of our security standards? You can request it here.

Terms & conditions