Data security using Ozedi services
The data sent to Ozedi is secured at all times using various encryption and secure transport options.
STP submission to ATO
- Data is prepared by the payroll system in the prescribed ATO bulk file format – currently this file is not signed or encrypted because the ATO does not accept encrypted/signed payloads (only signed AS4 messages)
- When the ATO does accept end to end encryption, at that stage the STP data file will be compressed, encrypted using the ATO’s public key and signed using the employer’s AUSkey private key at the client data site
- Data is transported to Ozedi via REST API which uses transport protocol TLS 1.2 - data is protected by SSL and secure in transit
- Data received at Ozedi via API is written directly off the wire into an encrypted database. The encrypted database is further secured by residing on an encrypted filesystem and being strongly protected by database and operating system privileges.
- The payload data is streamed from the encrypted database directly to the application that builds and sends the AS4 message. This streaming avoids the use of temporary files and means that the only time the data is at rest is in the encrypted database.
- The AS4 message is signed using Ozedi’s AUSkey and submitted to the ATO using Ozedi’s AUSkey using ebMS3.0 AS4 messaging protocols – this provides security in transit.
- When the ATO accepts an encrypted payload, after accepting the AS4 message, they will check signing of the payload for tampering using the employer’s AUSkey public key, then decrypt the payload using the ATO’s private key.
Retrieve STP response from ATO
- Ozedi polls the ATO for the STP response and, when received, it writes it to the encrypted database and deletes the payload submission. This completes the cycle. Responses are maintained in the encrypted database for pickup via API or email distribution depending on method selected. NB ATO responses contain no employer or employee data (only error codes, description and DocumentID reference).
Ozedi is about to undertake its annual ISO 27001 audit and certification and Ozedi is also, in partnership with its data centre provider, having all the Ozedi infrastructure iRAP certified.