Service level agreements
This section summarizes the key non-functional requirements that are deemed as architecturally significant. They correspond to the Service Agreement Service Metrics and should explain how each of the metrics is to be met by the architectural elements of the solution.
Recovery Time Objective
Recovery Point Objective
Performance & Scalability
We perform load tests using Apache JMeter across our products on a weekly basis. These simulate large amounts of application traffic. The output from these tests is automatically compared to baseline and deviations reported for review.
A range of tools are used to monitor application performance at different levels:
Real User Monitoring We collect telemetry from end-users on the experience they have on the site using New Relic. This allows us to identify any client-side errors and experience drops.
We collect a variety of metrics on application response time, database performance and execution times, as well as other application-specific metrics.
The infrastructure health is also monitored in conjunction with the above, and disk space, memory utilisation, CPU usage etc. are all tracked.
Alerts are set up against relevant metrics and issued to on-call members of the team.
Clients will benefit from Reward Gateway’s continuous development roadmap which reflects market trends, evolution in user experience, employee feedback, and our client’s needs.
We operate in agile methodologies following a two-week sprint schedule with continuous releases. We openly share a 90-day roadmap that is feature specific and that has set timelines
Maintenance and upgrades to the programme (including routine improvements) are conducted on a zero-down time basis weekly on Wednesday, between 15:30 and 16:30 AEST, by Reward Gateway’s Operations team.
All upgrades to the programme are tested by Reward Gateway’s internal QA team and deployed in a blue-green manner. This allows rapid rollback in the event of an issue being detected, and is backed by a more formal rollback plan.
We support the latest version of Google Chrome which should update automatically when a new version becomes available. If you don't think you’ve got the latest version, you can update Chrome at any time. And for details on how, click here.
Firefox, Safari, and Microsoft
We support the current and the previous release of Firefox®, Safari®, and Microsoft Edge™.
Screen reader/voice browser users
Our navigation mechanisms are accessible by screen readers and voice browsers. Text equivalents of all images have been provided and the relevant page and table header tags inserted.
Partially Sighted Users - Changing The Font Size
We use a readable font size on all pages and allow it to be changed.
We have checked the text and background colour contrast for the different colour blindness conditions. We never reference or distinguish items by colour alone.
We do not use any audio on the website; however the videos uploaded on the website contain audio content, but we always suggest uploading videos with transcripts or subtitles.
Users with physical or motor disabilities
We make sure our website has big clickable areas and that it is easily accessible for keyboard-only users.
Users with dyslexia
We use supporting images and diagrams and keep content clear, simple and with a consistent layout. We have 45 to 75 characters per line and ensure optimal line height to improve the reading experience for all people and especially for those with dyslexia.
User generated content
We provide a guide for contributors on how to create accessible content but we cannot ensure the quality of contributions.
Some services require users to access external websites, these are controlled by third parties and so differing standards of accessibility may apply to these sites.
All reporting that will be provided to Client's from Reward Gateway's SmartInsights™ Analytics Engine will be clear and easy-to-digest.
Reports can be downloaded as PDFs, which will be visually appealing, with bright, colourful graphs providing the information that your team needs.
Alternatively, reports can be downloaded in Microsoft Excel or Comma-Separated Value file formats, giving more data-based information, which will appeal to team members who want hard data.
All reports can be filtered and customised to display results by ‘choice’ fields passed in the HRIS extract.
Reward Gateway adheres to the highest levels of Information Security and Privacy standards to safeguard its users.
- We maintain ISO 27001 compliance and have been compliant since 2009. Our certificate number is IS544153.
- We comply with PCI DSS and are a Level 2 SAQ A entity. Our Information Security Team has completed the Internal Security Assessor training.
- We are fully compliant with the Australian Privacy Act (APA)
- We are fully compliant with European General Data Protection Regulation (GDPR) and Australian Privacy Principles.
We complete security penetration tests (using an independent external testing organisation) on at least a bi-annual basis (bi-annual as a minimum and then ad-hoc for any significant changes). Each 6 months we review and determine the most appropriate scope for the testing, to ensure that we maintain full coverage.
As part of this security penetration test, the mobile application was tested on 26th October 2022 and a report was delivered to Reward Gateway. Our vulnerability management process ensures that after we receive a security penetration testing report, we then review, assess and remediate vulnerabilities within a 30 day timeframe (earlier depending on vulnerability criticality). We then re-test any outstanding vulnerabilities and obtain a report we can then share with our clients.
We commission independent, qualified assessors to conduct a remote security review of our applications. The assessors use vulnerability testing software and manual techniques, both authenticated and unauthenticated with appropriate user credentials.
The testing methodology is based on best practice as described by the Open Web Application Security Project (OWASP). The OWASP organisation provides awareness about web application security and is widely recognised within commercial and government sectors. Their findings are categorised according to the Common Vulnerability Scoring System (CVSS) score.
Reward Gateway’s policy is to disclose two aspects of the annual penetration test results:
We disclose the number and nature of any critical vulnerabilities found, along with the details and progress of what is being done to mitigate them.
We disclose the number and nature of any high or medium vulnerabilities found that remain open 21 days after the penetration test.
For security reasons, further information on the penetration test results are not made available. Clients requiring more detailed information are able to arrange or conduct their own testing.
Client Sponsored Tests
In addition to our own tests, clients may arrange to conduct their own third party penetration tests and we have regular assessments conducted by a variety of clients who use industry leading consultants.
We are always happy to work with clients who would like to undertake their own testing or audit.
PCI DSS Compliance
As a business that takes credit and debit card payments online we are subject to the Payment Card Industry Data Security Standard (PCI DSS). This standard, developed in collaboration with card providers such as Visa, MasterCard, and American Express, specifies what should and should not be done during a transaction.
All online transactions passing through Reward Gateway are securely processed by our payment service provider, Checkout.com, who are а Level 1 PCI DSS Service Provider and a principal member and a direct acquirer of all major card brands.
We implement a hosted payment page via a frame, which means we never see full cardholder data.
We complete a SAQ A annually and our Attestation of Compliance is in our Security Pack.
In this section, a client can view all audit records on their program.
The audit information held on Reward Gateway can be filtered based on certain events (Login attempts, Multi-factor attempts, etc). It can also be narrowed down to specific date ranges and to a specific member.
Monitoring & Notifications
We have a 24/7 Employee and 24/5 Client Support Team in place to handle any immediate queries regarding this and on-call Operations & Engineering team members to resolve any Critical Incident within a target time of one hour.
Immediate action is required now and there is no workaround available.
Action is needed but can be scheduled, and a workaround may be available.
Action is needed when time allows, a workaround is available.
Affects a large group of members (100+) or involves suspicious activity
Affects a few members (<5-100)
Affects one member
We offer a contractual 99.5% up-time guarantee, monitored by New Relic, and published on our status page, rg.co/status which you can subscribe to.
If you have a dedicated Information Security team requiring notification, please inform your Client Success Manager who will add a dedicated contact to your account.