Security Statement
Intro
At illuminance Solutions, we are committed to protecting the confidentiality, integrity, and availability of client data across all our products, including AvantCare. Our security practices are guided by our ISO/IEC 27001-certified Information Security Management System (ISMS) and industry best practices.
Secure Hosting & Data Protection
Client-Managed Microsoft 365 & Azure Environments – Each AvantCare solution is deployed into the client’s own Microsoft 365 (O365) and associated Azure environment, ensuring the client retains full administrative control over their system and its security settings.
Microsoft Power Platform & Azure Data Centres – All data is stored and processed in Australian-based Azure regions, or in another region selected by the client, benefitting from enterprise-grade physical security, redundancy, and compliance with ISO 27001, ISO 27018, and SOC 2 standards.
Encryption – All data in transit is protected using TLS 1.2 or higher, and all data at rest is encrypted using strong encryption algorithms.
illuminance has no persistent access to client production environments unless explicitly authorised for support purposes, and any such access is time-bound, logged, and auditable.
Special Processing Requirements – In specific cases where advanced capabilities such as AI-based optimisation are required and are not natively available in Microsoft Azure Australia, data may be processed outside the Azure environment. In such cases, data is de-identified before processing, and additional security protocols are applied to maintain confidentiality, integrity, and compliance with applicable regulations.
Client Control Over Security Configurations
Our clients have full control over all security configurations within their Microsoft 365 and Power Platform environment. Key aspects include:
Management of Security Roles and Permissions
Administrators control the creation and assignment of security roles, access levels, and user permissions in Dynamics 365 and Power Platform.
illuminance operates only within the access levels granted by the client and cannot modify security settings without explicit approval.
Conditional Access and Identity Management
Azure Active Directory, managed by the client, enforces Multi-Factor Authentication (MFA), conditional access policies, and sign-in restrictions.
Clients can modify these controls at any time to align with internal security policies.
User Access Management
Access to systems and data is granted based on the principles of least privilege and need-to-know.
Multi-factor authentication (MFA) is strongly recommended and supported for all privileged accounts and administrative functions within the client’s O365 environment.
Privileged Identity Management (PIM) is recommended for all administrative accounts to ensure elevated privileges are granted only when needed and for the shortest possible duration.
User accounts are created, modified, and deactivated following documented access provisioning and de-provisioning procedures.
Information Handling
Information is classified according to its sensitivity and handled in accordance with established information classification practices.
Sensitive and confidential data is stored only in approved, secure systems within the client’s own O365/Azure environment that meet encryption and access control requirements.
Data sharing is restricted to authorised personnel and secure channels.
Client data remains under the client’s ownership and control at all times, and will only be used for agreed purposes or as required by law.
Incident Management & Monitoring
Security events under illuminance’s control are managed under our Incident Response Plan, which includes detection, containment, eradication, and recovery measures.
Continuous monitoring is applied to environments we manage, and we recommend clients implement equivalent monitoring in their O365/Azure environment.
Any security incidents requiring illuminance assistance in a client-managed environment are addressed in collaboration with the client’s security team.
Risk Management & Compliance
Solutions comply with ISO/IEC 27001:2013 for information security management.
Security controls include role-based access, conditional access policies, MFA, encryption, and secure integration via Azure Key Vault.
Compliance with Australian Privacy Act 1988, ORIC requirements, and relevant data residency laws.
Full audit capabilities support internal and external compliance audits.
Backup, Recovery & Business Continuity
Microsoft Power Platform automatically performs environment backups every 12 hours, retained for 28 days, with on-demand backup and restore options.
Application components hosted in Azure are protected with Azure Recovery Services and geo-redundant storage (GRS).
Disaster recovery procedures enable restoration of services with minimal downtime, supported by Infrastructure-as-Code for rapid redeployment.
Audit logs of all backups and restore activities are maintained.
Business Continuity Considerations
High Availability – Azure’s geo-redundant infrastructure ensures services remain operational even in the event of a data centre failure.
Disaster Recovery Readiness – Infrastructure-as-Code templates enable the rapid redeployment of custom components to alternate regions as needed.
Operational Continuity – Clients retain full administrative control over access and can apply their own business continuity procedures without relying on third-party infrastructure.
Support & Incident Response – illuminance maintains structured protocols to assist clients in responding to incidents, initiating recovery, and ensuring service continuity.
Privacy Commitment
We comply with the Australian Privacy Principles under the Privacy Act 1988, ensuring personal information is collected, stored, and used lawfully and transparently.
Client data remains the property of the client and will only be accessed or disclosed with proper authorisation or as required by law.
Security & Governance Responsibility Matrix
| Topic |
Client Responsibility |
illuminance Responsibility |
Microsoft Responsibility |
|---|---|---|---|
| Hosting & Data Sovereignty |
Owns and manages their Microsoft 365 & Azure tenancy; selects hosting region (Australia or client choice). |
Deploy solution into client’s environment according to agreed architecture. |
Provide secure, compliant infrastructure in selected Azure region. |
| Data Sovereignty & Ownership |
Full data ownership and control; enforce internal governance policies. |
Access only when authorised by client; operate under agreed security levels. |
Provide contractual data residency assurances (ISO, SOC, IRAP, GDPR). |
| Security Roles & Permissions |
Create and manage roles, access levels, and permissions in Dynamics 365 & Power Platform. |
Configure roles per client’s requirements when authorised. |
N/A |
| Conditional Access & Identity Management |
Configure MFA, conditional access, and sign-in policies in Azure AD. |
Provide guidance on secure configurations if requested. |
Provide Azure AD service, MFA capability, and enforcement tools. |
| Privileged Identity Management (PIM) |
Enable and manage PIM for administrative accounts. |
Recommend and support PIM setup where needed. |
Provide PIM service within Azure AD. |
| Separation of Duties |
Define role segregation for administrators and power users. |
Configure system access aligned to role segregation policy. |
N/A |
| Audit Logging & Retention |
Review logs, manage retention (min. 7 years), perform audits. |
Ensure system configurations enable audit logging. |
Provide logging capability in Power Platform, Azure, and Dynamics 365. |
| Beneficiary Authentication |
Approve identity providers in Azure AD B2C; manage user lifecycle. |
Configure secure service account/API architecture for mobile app access. |
Provide Azure AD B2C service and token-based authentication. |
| Risk Management & Compliance |
Conduct internal risk assessments and audits; approve patching schedules. |
Maintain ISO 27001 compliance; perform solution risk assessment. |
Maintain Microsoft compliance certifications (ISO, SOC, IRAP, GDPR). |
| Vulnerability & Patch Management |
Approve and schedule updates in client tenancy. |
Test and recommend patches for solution components. |
Apply security patches to underlying cloud infrastructure. |
| Incident Management |
Initiate and control incident response in client environment. |
Support incident investigation and recovery for solution components. |
Provide platform-level incident response and communication (SLA-based). |
| Monitoring & Alerts |
Configure alerts and monitoring in Azure & Power Platform Admin Centre. |
Assist in setting up monitoring for solution components when required. |
Provide monitoring capabilities and logs in Microsoft cloud services. |
| Backup & Recovery |
Request restores; define RTO/RPO policies; manage long-term backups if needed. |
Assist with backup/restore processes for solution components. |
Perform automated 12-hour backups, 28-day retention, geo-redundant storage. |
| Business Continuity |
Maintain continuity plans; perform continuity tests in client environment. |
Support recovery, redeployment (Infrastructure-as-Code), and incident coordination. |
Ensure high availability (99.9% uptime) and geo-redundant infrastructure. |
| Integration Security |
Approve integration partners and systems. |
Secure integration points; manage API keys in Azure Key Vault. |
Provide API security and encryption services at platform level. |
| Usability & Accessibility |
Approve language/localisation requirements; ensure cultural appropriateness. |
Implement WCAG 2.1 Level AA accessibility in solution design. |
Provide accessible platform capabilities in Power Apps/Dynamics. |
| Service Levels & Support |
Escalate and manage support tickets with Microsoft if tenancy-owned. |
Provide application-level support per illuminance SLA. |
Maintain Microsoft SLA for cloud services (Power Platform, Azure). |