Security

1. Security Certifications & Compliance

Compliance reports and certifications available to clients under NDA upon request.

2. Data Encryption

Encryption in Transit

• TLS 1.3: All data transmitted over the internet encrypted with latest TLS protocol
• Perfect Forward Secrecy: Ephemeral keys ensure past communications remain secure even if keys are compromised
• Certificate Pinning: Mobile apps verify server certificates to prevent man-in-the-middle attacks
• HSTS & HTTPS Enforcement: Browsers forced to use secure connections only

Encryption at Rest

• AES-256: Industry-standard encryption for all data stored in databases
• Encrypted Volumes: Database storage volumes encrypted at the infrastructure level
• Encrypted Backups: All backup files encrypted before storage
• Key Management: Encryption keys stored in AWS KMS or Azure Key Vault with strict access controls
• Key Rotation: Encryption keys rotated quarterly; revoked keys immediately invalidated

Field-Level Encryption

Highly sensitive fields (e.g., supporter phone numbers, email addresses) encrypted at the application layer with separate keys from database encryption, providing defense-in-depth protection.

3. Access Controls

Authentication

• Multi-Factor Authentication (MFA): Required for all staff and client admin accounts
• Strong Password Policy: Minimum 12 characters, complexity requirements, no reuse of last 10 passwords
• Single Sign-On (SSO): Available for enterprise clients via SAML 2.0
• Session Management: Automatic logout after 30 minutes of inactivity; sessions invalidated on logout
• Password Hashing: Bcrypt with high cost factor; plaintext passwords never stored

Authorization

• Role-Based Access Control (RBAC): Granular permissions based on job function
• Principle of Least Privilege: Users granted minimum access required for their role
• Data Segregation: Client data isolated; no cross-client access possible
• API Authentication: OAuth 2.0 with short-lived tokens and refresh token rotation
• IP Whitelisting: Available for clients requiring restricted network access

Staff Access

• Background checks and confidentiality agreements for all employees
• Security training required annually for all staff
• Production data access logged and monitored; reviewed quarterly
• Just-in-time access provisioning for sensitive operations
• Immediate access revocation upon employee departure

4. Infrastructure Security

Network Security

• Firewalls & Security Groups: Network segmentation with strict ingress/egress rules
• DDoS Protection: AWS Shield / Azure DDoS Protection Standard
• Intrusion Detection: Real-time monitoring for suspicious network activity
• VPC Isolation: Private subnets for databases; public-facing services in DMZ
• VPN Access: Encrypted VPN required for administrative access

Application Security

• Secure Development Lifecycle: Security reviews at every phase of development
• Code Reviews: All code peer-reviewed before deployment
• Static Analysis: Automated scanning for security vulnerabilities in codebase
• Dependency Scanning: Third-party libraries monitored for known vulnerabilities; patched immediately
• Web Application Firewall (WAF): Protection against injection attacks, XSS, CSRF, and other OWASP threats
• Rate Limiting: API throttling to prevent abuse and DoS attacks

Infrastructure Hardening

• Operating systems patched within 7 days of critical security updates
• Immutable infrastructure; servers replaced rather than patched in place
• Container security scanning before deployment
• Regular penetration testing by third-party security firms (annual minimum)

5. Monitoring & Logging

Security Monitoring

• 24/7 Monitoring: Automated alerts for security events; security team on-call
• SIEM Integration: Centralized logging and correlation for security event analysis
• Anomaly Detection: Machine learning models flag unusual access patterns
• Uptime Monitoring: Real-time availability tracking; alerts for service degradation

Audit Logs

• All access to supporter data logged with timestamp, user, IP, and action
• Logs retained for 12 months; archived for 7 years
• Tamper-proof logging; write-only append to audit trail
• Client access to their own audit logs available on request

6. Incident Response

Response Phases

• Detection: Automated alerts trigger incident response team activation
• Containment: Immediate steps to isolate affected systems and prevent spread
• Investigation: Forensic analysis to determine scope, cause, and impact
• Eradication: Remove threat; patch vulnerabilities that enabled incident
• Recovery: Restore systems from clean backups; validate integrity
• Post-Incident: Root cause analysis; implement preventive measures

Communication

• Clients notified within 24 hours of confirmed security incident
• Status page updated with incident details and remediation progress
• Post-incident report provided within 7 days, including timeline, impact, and corrective actions
• OAIC notification for eligible data breaches as required by law (see Data Sovereignty)

7. Business Continuity & Disaster Recovery

Backup Strategy

• Automated Backups: Database backups every 6 hours
• Geo-Redundant Storage: Backups replicated to secondary Australian region
• Point-in-Time Recovery: Restore to any point within last 30 days
• Backup Testing: Restore drills performed quarterly to validate recoverability
• Encryption: All backups encrypted at rest

High Availability

• Multi-AZ Deployment: Services run across multiple availability zones
• Load Balancing: Traffic distributed across redundant servers
• Auto-Scaling: Capacity automatically adjusted based on demand
• Database Replication: Real-time replication to standby database
• Target RTO: 4 hours (Recovery Time Objective)
• Target RPO: 1 hour (Recovery Point Objective)

8. Vendor Security

All third-party vendors and sub-processors undergo security assessment before engagement:

• Security questionnaires and compliance certification review
• Data Processing Agreements with security obligations
• Annual vendor security re-assessment
• Immediate notification of vendor security incidents

9. Data Sanitization

Development & Testing

Production data never used in development or testing environments:

• Synthetic test data generated for non-production environments
• Any production data exported for debugging anonymized and PII stripped
• Development environments isolated from production networks

Data Deletion

• Secure Deletion: Data overwritten using DoD 5220.22-M standard before storage decommissioning
• Retention Compliance: Data deleted according to retention policy (see Privacy Policy)
• Certificate of Destruction: Provided upon request for data deletion

10. Security Testing

• Penetration Testing: Annual third-party pentests; remediation within 30 days
• Vulnerability Scanning: Weekly automated scans; critical issues patched within 72 hours
• Bug Bounty Program: Responsible disclosure program for security researchers (coming soon)
• Internal Security Audits: Quarterly reviews of access controls, configurations, and compliance

11. Reporting Security Issues

12. Client Security Responsibilities

Security is a shared responsibility. Clients are responsible for:

• Maintaining strong passwords and MFA for user accounts
• Restricting account access to authorized personnel only
• Promptly reporting suspected security incidents
• Securing API keys and credentials (never commit to version control)
• Ensuring supporter consent and data quality before upload
• Training staff on phishing awareness and security best practices

13. Questions & Audits

For security questions, audit requests, or to discuss custom security requirements: