Security and Privacy

Security

All access to the system requires a login with a verified email address that's protected by multi-factor authentication (MFA). There are various access levels within the system and these are further restricted by the type of operation they are allowed to perform in a given scenario (called scopes).

For example, even if an Admin logs in to the tablet, the tokens that represent that login can only be used for the actions necessary to run a match.

Data is secured by encryption "in transit" (when moving around) and "at rest" (when stored online). Passwords are not stored directly; they cannot be recovered by anyone in the system and must be reset via the confirmed email address if forgotten.

Why isn't SMS allowed for MFA?

SMS is inherently insecure and phone numbers can be imitated / stolen. MFA apps are a more secure alternative.

How is my club membership data secured?

Only admins can look up member details and full match details on the web platform. The tablet application sends member IDs to the servers when they are scanned but can't look them up. When an ID is found by the server, a matching name is sent to the tablet. No licence data is sent to the tablet.

What security measures are in place?

Multiple security configuration and monitoring services work to help keep SightPicture secure.

Privacy

The platform provides a number of advantages over writing out your details on a sheet of paper form everyone else to take a photo of. All data is kept and processed within Australia.

What is user data?

User data includes username, password, name, email address, firearms owned by a user and match grades. User data is owned by the user and can be removed at the user's request.

How is my user data kept private?

The only user data sent to the tablet app is a subset of the firearm data you choose to store in the platform. The PRN and serial number are never sent to tablet - just the name and calibre. The rest is matched and stored online.

What is club data?

Club data includes member info (member id, email address on record, name, firearm licence number and access level) and match history (match date/time/range, firearm PRN/class/calibre shot in a match, match competition/practice status and match scores). The club owns club data and can alter and remove it as necessary. While some club data may pertain to a user (e.g. firearm licence number, PRNs shot in a match) the club is required to keep this data for compliance reasons and users can not request that this is removed.

How is club data kept private?

Club data is only provided to people when needed. For example, admins may access full reports of match attendance, but members will only be provided a subset of the info (they will not see PRNs and licenses). Each club can only see its own data. SightPicture has no direct access into clubs' internal systems.

What happens if a club stops using the platform?

A club can get all of its data prior to ending its use of the platform. Once it has decided to cease using the platform, the club's data is deleted. It is then a club's responsibility to ensure it is keeping the necessary records in some other fashion.

Who gets access to the data?

AWS stores encrypted data and provides the processing capability to run the SightPicture platform. AWS has its own Data Privacy documentation. Clubs may produce reports from SightPicture data for the purposes of reporting compliance to the relevant authorities, as required by law. No other party has access to the data and SightPicture does not sell data to anyone.