Last updated: 13 June 2026 Operated by: NOTION TECH PTY LTD (ACN 698 318 124) · info@auditcore.com.au

Security is fundamental to AuditCore because we handle health and sensitive information about people with disability. This page explains, honestly and specifically, how we protect your data. We describe our current practices and where we are still maturing — we do not overstate our position.

1. Data hosting and residency

  • Your **primary data is hosted onshore in Australia (Sydney)** on managed, enterprise-grade PostgreSQL infrastructure.
  • Data centres provide physical security, redundancy and environmental controls managed by the hosting provider.
  • Certain features use overseas sub-processors (e.g. AI generation, payments, email) as disclosed in our **Privacy Policy** and **Data Processing Addendum**.

2. Encryption

  • **In transit:** all connections are encrypted using **TLS** (HTTPS) with modern cipher suites.
  • **At rest:** the database and backups are encrypted at rest, and designated sensitive fields (such as participant identifiers) are additionally **encrypted at the application layer using AES-256**.
  • Passwords are never stored in plain text — they are **hashed with bcrypt**.

3. Access controls

  • **Role-based access control** — users only see what their role permits, scoped to their own organisation.
  • **Multi-tenant isolation** — each organisation's data is logically segregated; queries are scoped to the authenticated organisation.
  • **Authenticated APIs** — protected endpoints require a valid signed session token (JWT); sessions expire and can be revoked.
  • **Rate limiting** on authentication and sensitive endpoints to resist brute-force and abuse.
  • Multi-factor authentication (MFA) for administrative access is on our near-term roadmap.

4. Monitoring and audit logging

  • We maintain **audit logs** of key actions and administrative access.
  • Any support access to a customer account (including staff "support session" access) is **recorded and time-bounded**, and is disclosed in our Privacy Policy.

5. Data breach response

We maintain a documented Data Breach Response Plan aligned with the Notifiable Data Breaches (NDB) scheme:

  • **Contain** immediately;
  • **Assess** the breach and risk of serious harm;
  • **Notify** the OAIC, affected individuals and affected customers **as soon as practicable** where an eligible data breach occurs; and
  • **Review** and remediate.

We aim to notify affected customers within 48 hours of confirming a breach that affects their data.

6. Backups and recovery

We take regular automated backups for disaster recovery, stored securely. Customers can also export their own data at any time (JSON, and Excel/Word/PDF per feature) and are responsible for keeping their own copies.

7. People and processes

  • Staff and contractors with access to systems are bound by **confidentiality obligations**.
  • Access to production data is limited to personnel who need it to operate and support the Service.
  • We follow secure development practices and review changes before release.
  • Background checks and formal security-awareness training for personnel are being formalised as we grow.

8. Standards and certifications

We are an early-stage Australian company and are working towards formal certification (ISO/IEC 27001). We do not currently hold ISO 27001, SOC 2 or IRAP certification, and we will not claim certifications we do not hold. We are happy to share further detail on our controls with customers on request to support their own due diligence.

9. Your role in security

Security is shared. Please: use strong, unique passwords; keep credentials confidential; manage your users' access; and export your data regularly. Report any suspected security issue to info@auditcore.com.au.

10. Contact

Security & privacy — NOTION TECH PTY LTD (operating AuditCore) — info@auditcore.com.au.

Ready to stay audit-ready?

Join Australian NDIS providers using AuditCore to manage compliance and pass every audit.

Book a Free Demo