Security Policy
Effective Date: 18/02/2026 Last Updated: 18/02/2026 Version: 1.0
1. Introduction
1.1 Our Commitment
RTO MATE PTY LTD ("QUALTICKS", "we", "us", or "our") is committed to protecting the security of your data. As an Australian-owned company serving Registered Training Organisations (RTOs), we understand the importance of maintaining robust security measures.
1.2 Compliance
This policy supports our compliance with:
Australian Privacy Principle 11 (Security of personal information)
Notifiable Data Breaches scheme (Part IIIC Privacy Act 1988)
Industry best practices for SaaS security
1.3 Scope
This policy applies to all systems, data, and services provided by QUALTICKS.
2. Australian Data Sovereignty
2.1 Data Location
All customer data is stored in Australian data centres, except for limited contact information shared with our CRM provider as disclosed in our Privacy Policy.
2.2 Hosting Infrastructure
Our Platform is hosted on Australian infrastructure with:
Data centres located in Sydney and Melbourne
ISO 27001 certified facilities
24/7 physical security monitoring
Redundant power and network connections
Fire suppression and climate control systems
2.3 No Offshore Data Processing
Your compliance data, documents, and operational information are never processed or stored outside Australia.
3. Encryption
3.1 Data at Rest
All data stored on our servers is encrypted using:
Standard: AES-256 encryption
Scope: Databases, file storage, backups
Key Management: Keys stored separately with hardware security module (HSM) protection
3.2 Data in Transit
All data transmitted between your browser and our servers is protected by:
Protocol: TLS 1.3 (minimum TLS 1.2)
Certificate: Extended Validation (EV) SSL certificate
Configuration: Strong cipher suites, perfect forward secrecy
HSTS: HTTP Strict Transport Security enforced
3.3 Database Encryption
Our PostgreSQL databases employ:
Transparent Data Encryption (TDE)
Column-level encryption for sensitive fields
Encrypted connections between application and database layers
4. Access Controls
4.1 Role-Based Access Control (RBAC)
Access to the Platform is controlled through role-based permissions:
RoleAccess LevelAdminFull access including user managementEditorContent and data managementUserView and limited edit access
4.2 Principle of Least Privilege
We follow the principle of least privilege:
Users only receive permissions necessary for their role
Elevated access requires approval and is time-limited
Regular access reviews are conducted quarterly
4.3 Multi-Factor Authentication (MFA)
MFA is available for all user accounts
MFA is mandatory for administrative access
Supported methods: Authenticator apps, SMS (backup)
4.4 Session Management
Sessions expire after 24 hours of inactivity
Concurrent session limits enforced
Session tokens are cryptographically random
Secure cookie flags (HttpOnly, Secure, SameSite)
5. Authentication Security
5.1 Password Requirements
User passwords must meet the following criteria:
Minimum 8 characters
At least one uppercase letter
At least one lowercase letter
At least one number
At least one special character
5.2 Password Storage
Passwords are:
Never stored in plain text
Hashed using bcrypt with high work factor
Salted with unique per-user salts
5.3 Account Lockout
Account locks after 5 failed login attempts
Lockout duration: 15 minutes (auto-unlock) or manual unlock
Failed attempts are logged and monitored
5.4 Password Reset
Secure token-based password reset
Tokens expire after 1 hour
One-time use tokens only
Email notification of password changes
6. Application Security
6.1 Secure Development
Our development practices include:
Security-focused code reviews
Static application security testing (SAST)
Dynamic application security testing (DAST)
Dependency vulnerability scanning
Security training for developers
6.2 OWASP Top 10 Mitigation
We protect against common vulnerabilities:
VulnerabilityMitigationInjectionParameterised queries, input validationBroken AuthenticationMFA, secure session managementSensitive Data ExposureEncryption, secure transmissionXML External EntitiesDisabled XML external entity processingBroken Access ControlRBAC, server-side validationSecurity MisconfigurationHardened configurations, regular auditsCross-Site ScriptingOutput encoding, Content Security PolicyInsecure DeserialisationInput validation, type checkingVulnerable ComponentsRegular patching, dependency scanningInsufficient LoggingComprehensive audit logging
6.3 Input Validation
All user input is:
Validated on both client and server side
Sanitised before processing
Encoded before output
Limited in size to prevent DoS
7. Network Security
7.1 Infrastructure Protection
Web Application Firewall (WAF)
DDoS protection and mitigation
Network segmentation between tiers
Intrusion detection systems (IDS)
7.2 Traffic Monitoring
All network traffic is logged
Anomaly detection for unusual patterns
Real-time alerting for suspicious activity
Regular traffic analysis and review
7.3 VPN Access
Administrative access to production systems requires:
VPN connection with strong encryption
MFA authentication
IP whitelisting
Activity logging
8. Monitoring and Logging
8.1 Audit Logging
We maintain comprehensive audit logs including:
User authentication events (login, logout, failures)
Data access and modifications
Administrative actions
Security events
8.2 Log Retention
Log TypeRetention PeriodSecurity events24 monthsAccess logs12 monthsApplication logs6 monthsError logs3 months
8.3 Log Protection
Logs are:
Stored separately from application data
Protected against tampering
Encrypted at rest
Backed up regularly
8.4 Real-Time Monitoring
24/7 automated monitoring
Security Information and Event Management (SIEM)
Immediate alerts for critical events
On-call incident response team
9. Vulnerability Management
9.1 Vulnerability Scanning
Weekly automated vulnerability scans
Immediate scanning after significant changes
Third-party scanning for independent assessment
9.2 Penetration Testing
Annual third-party penetration testing
Additional testing after major releases
Remediation tracking for findings
9.3 Patch Management
PriorityTimeframeCriticalWithin 24 hoursHighWithin 7 daysMediumWithin 30 daysLowNext scheduled maintenance
9.4 Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities.
To report a vulnerability:
Email: support@qualticks.com.au
Include: Description, steps to reproduce, potential impact
We will acknowledge within 48 hours
We aim to remediate critical issues within 7 days
We will:
Not take legal action against good-faith researchers
Work with you to understand and resolve the issue
Credit you in any public disclosure (if desired)
9.5 Third-Party Data Synchronisation Security
Training.gov.au Data Sync:
Data is retrieved via secure API connections from Training.gov.au
Synchronisation occurs on a scheduled basis (typically daily)
Data is validated for format integrity before storage
We do not independently verify the accuracy of source data from Training.gov.au
Synchronisation errors are logged, monitored, and investigated
Data Integrity Limitations:
We rely on the accuracy and currency of source data from Training.gov.au
We do not modify or alter Training.gov.au source data
Data stored in QUALTICKS may not reflect real-time changes to Training.gov.au
Users should verify critical information directly with Training.gov.au
Sync Status:
Failed synchronisations trigger internal alerts for investigation
We do not guarantee successful synchronisation at any particular time
Synchronisation may be delayed or fail due to Training.gov.au availability
10. Incident Response
10.1 Incident Classification
SeverityDescriptionResponse TimeCriticalActive breach, data exfiltrationImmediateHighPotential breach, critical vulnerabilityWithin 1 hourMediumSecurity weakness, non-critical vulnerabilityWithin 4 hoursLowMinor issue, informationalWithin 24 hours
10.2 Response Procedures
Our incident response process:
Detection: Automated or manual identification
Containment: Immediate steps to limit impact
Eradication: Remove threat and close vulnerabilities
Recovery: Restore normal operations
Lessons Learned: Post-incident review and improvements
10.3 Communication
During an incident:
Affected customers notified as soon as practicable
Regular status updates provided
Post-incident report within 30 days
11. Data Breach Notification
11.1 Notifiable Data Breaches Scheme
We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
11.2 Assessment Timeline
When we become aware of a potential breach:
Initial assessment: Within 24 hours
Full assessment: Within 30 days
OAIC notification: As soon as practicable after assessment
Individual notification: As soon as practicable after OAIC notification
11.3 Notification Content
Notifications will include:
Description of the data breach
Types of personal information involved
Recommendations for affected individuals
Contact details for further information
Steps we are taking to respond
11.4 Customer Notification
We will notify affected customers via:
Email to registered account addresses
In-app notification
Phone call for high-severity incidents
12. Backup and Recovery
12.1 Backup Schedule
Data TypeFrequencyRetentionDatabaseContinuous (point-in-time)30 daysFull snapshotDaily30 daysArchivesMonthly12 months
12.2 Backup Security
All backups are:
Encrypted with AES-256
Stored in geographically separate locations (within Australia)
Tested regularly for integrity
Subject to the same access controls as production data
12.3 Recovery Objectives
Recovery Point Objective (RPO): 1 hour
Recovery Time Objective (RTO): 4 hours
12.4 Disaster Recovery Testing
Full disaster recovery testing conducted annually
Partial recovery tests conducted quarterly
Results documented and improvements implemented
13. Business Continuity
13.1 Availability Target
We target 99.9% uptime, measured monthly, excluding scheduled maintenance.
13.2 Redundancy
Multiple availability zones
Load balancing across servers
Automatic failover for critical components
Geographic redundancy within Australia
13.3 Maintenance Windows
Scheduled maintenance: Sundays 2:00-6:00 AM AEST
Advance notice: Minimum 72 hours
Emergency maintenance: Notification as soon as practicable
14. Vendor Security
14.1 Vendor Assessment
Before engaging third-party vendors, we assess:
Security certifications (SOC 2, ISO 27001)
Data protection practices
Incident response capabilities
Compliance with relevant regulations
14.2 Contractual Requirements
Vendor contracts include:
Data protection obligations
Security requirements
Breach notification obligations
Audit rights
14.3 Key Vendors
VendorPurposeSecurityAustralian hosting providerInfrastructureISO 27001, SOC 2HubSpotCRMSOC 2, Data Privacy FrameworkPayment processorPaymentsPCI DSS Level 1
15. Employee Security
15.1 Background Checks
All employees with access to customer data undergo:
Identity verification
Reference checks
Criminal background checks (where permitted by law)
15.2 Security Training
Security awareness training at onboarding
Annual refresher training
Phishing simulation exercises
Role-specific security training
15.3 Access Termination
When employment ends:
Access revoked immediately
Devices returned and wiped
Accounts disabled
Exit interview conducted
16. Compliance Roadmap
16.1 Current Compliance
Australian Privacy Principles
Notifiable Data Breaches scheme
Industry best practices
16.2 Future Certifications
We are working towards:
ISO 27001 certification
SOC 2 Type II attestation
IRAP assessment (for government customers)
17. Policy Review
This policy is reviewed:
Annually, at minimum
After significant security incidents
When regulations change
When systems significantly change
18. Contact
Security Team RTO MATE PTY LTD
Security Inquiries: support@qualticks.com.auVulnerability Reports: support@qualticks.com.auGeneral Contact: PO BOX 101 Craigieburn VIC 3064