Security & Trust

Your Data is Our Responsibility

Australian-owned. Australian-hosted. Enterprise-grade protection for your project data.

Encryption Everywhere

TLS 1.3 in transit, AES-256 at rest. Protected at every layer.

Australian Data Sovereignty

All data stored in Australian AWS data centres. Fully compliant with local data protection laws.

Multi-Factor Authentication

2FA via SMS or authenticator app for an extra layer of account protection.

Access Controls

Role-based access so users only see what they need to.

Audit Logging

Full audit trail — who accessed what, when, and from where.

Regular Security Audits

Quarterly penetration testing and assessments by independent third parties.

Compliance & Certifications

In Progress

ISO 27001

Information security management certification

Planned 2026

SOC 2 Type II

Security and availability controls

Compliant

Australian Privacy Principles

Compliant with APP under Privacy Act 1988

Our Security Practices

Infrastructure Security

  • Multi-region AWS with automatic failover
  • DDoS protection via AWS Shield
  • Web application firewall (WAF)
  • Regular security patches
  • Isolated network environments

Application Security

  • Code reviews before every deployment
  • Automated vulnerability scanning
  • SQL injection & XSS prevention
  • Rate limiting
  • Secure session management

Data Protection

  • Encryption keys managed via AWS KMS
  • Database encryption at rest and in transit
  • Daily backups with 30-day retention
  • Point-in-time recovery
  • Secure data disposal

Operational Security

  • Mandatory security training for all staff
  • Background checks for team members
  • Least-privilege access policies
  • Incident response procedures
  • 24/7 monitoring & alerting

100% Australian Data Hosting

All data stored in AWS Sydney region, ensuring:

  • Australian data sovereignty compliance
  • Protected under Privacy Act 1988
  • Low latency for Australian users
  • No offshore storage or processing

Security Incident Response

What Happens if There's a Security Incident?

Our incident response plan ensures rapid detection, containment, and resolution.

1

Detection

24/7 monitoring with immediate alerts

2

Containment

Affected systems isolated within 1 hour

3

Notification

Users notified within 72 hours

4

Resolution

Fix, strengthen defences, post-mortem

Responsible Disclosure Program

Found a vulnerability? Report it responsibly and we commit to:

  • Response within 24 hours
  • Updates throughout the resolution process
  • Recognize your contribution (with your permission)
  • No legal action for good-faith research
1

Report the Issue

Email security@buildpaperless.com.au with details. We respond within 24 hours.

2

Investigation

We assess and reproduce the issue within 48 hours.

3

Resolution

Critical issues patched within 7 days, others based on severity.

4

Disclosure

Coordinated disclosure after fix. Recognition for responsible reporting.

Report a vulnerability: security@buildpaperless.com.au

Security Resources

Privacy Policy

How we collect, use, and protect your data

Terms of Service

Your rights and responsibilities

Status Page

Real-time platform status and incidents

Questions About Security?

Our security team is here to help. Reach out anytime.