Security Policy

Effective Date: 18/02/2026 Last Updated: 18/02/2026 Version: 1.0

1. Introduction

1.1 Our Commitment

RTO MATE PTY LTD ("QUALTICKS", "we", "us", or "our") is committed to protecting the security of your data. As an Australian-owned company serving Registered Training Organisations (RTOs), we understand the importance of maintaining robust security measures.

1.2 Compliance

This policy supports our compliance with:

Australian Privacy Principle 11 (Security of personal information)
Notifiable Data Breaches scheme (Part IIIC Privacy Act 1988)
Industry best practices for SaaS security

1.3 Scope

This policy applies to all systems, data, and services provided by QUALTICKS.

2. Australian Data Sovereignty

2.1 Data Location

All customer data is stored in Australian data centres, except for limited contact information shared with our CRM provider as disclosed in our Privacy Policy.

2.2 Hosting Infrastructure

Our Platform is hosted on Australian infrastructure with:

Data centres located in Sydney and Melbourne
ISO 27001 certified facilities
24/7 physical security monitoring
Redundant power and network connections
Fire suppression and climate control systems

2.3 No Offshore Data Processing

Your compliance data, documents, and operational information are never processed or stored outside Australia.

3. Encryption

3.1 Data at Rest

All data stored on our servers is encrypted using:

Standard: AES-256 encryption
Scope: Databases, file storage, backups
Key Management: Keys stored separately with hardware security module (HSM) protection

3.2 Data in Transit

All data transmitted between your browser and our servers is protected by:

Protocol: TLS 1.3 (minimum TLS 1.2)
Certificate: Extended Validation (EV) SSL certificate
Configuration: Strong cipher suites, perfect forward secrecy
HSTS: HTTP Strict Transport Security enforced

3.3 Database Encryption

Our PostgreSQL databases employ:

Transparent Data Encryption (TDE)
Column-level encryption for sensitive fields
Encrypted connections between application and database layers

4. Access Controls

4.1 Role-Based Access Control (RBAC)

Access to the Platform is controlled through role-based permissions:

Role	Access Level
Admin	Full access including user management
Editor	Content and data management
User	View and limited edit access

4.2 Principle of Least Privilege

We follow the principle of least privilege:

Users only receive permissions necessary for their role
Elevated access requires approval and is time-limited
Regular access reviews are conducted quarterly

4.3 Multi-Factor Authentication (MFA)

MFA is available for all user accounts
MFA is mandatory for administrative access
Supported methods: Authenticator apps, SMS (backup)

4.4 Session Management

Sessions expire after 24 hours of inactivity
Concurrent session limits enforced
Session tokens are cryptographically random
Secure cookie flags (HttpOnly, Secure, SameSite)

5. Authentication Security

5.1 Password Requirements

User passwords must meet the following criteria:

Minimum 8 characters
At least one uppercase letter
At least one lowercase letter
At least one number
At least one special character

5.2 Password Storage

Passwords are:

Never stored in plain text
Hashed using bcrypt with high work factor
Salted with unique per-user salts

5.3 Account Lockout

Account locks after 5 failed login attempts
Lockout duration: 15 minutes (auto-unlock) or manual unlock
Failed attempts are logged and monitored

5.4 Password Reset

Secure token-based password reset
Tokens expire after 1 hour
One-time use tokens only
Email notification of password changes

6. Application Security

6.1 Secure Development

Our development practices include:

Security-focused code reviews
Static application security testing (SAST)
Dynamic application security testing (DAST)
Dependency vulnerability scanning
Security training for developers

6.2 OWASP Top 10 Mitigation

We protect against common vulnerabilities:

Vulnerability	Mitigation
Injection	Parameterised queries, input validation
Broken Authentication	MFA, secure session management
Sensitive Data Exposure	Encryption, secure transmission
XML External Entities	Disabled XML external entity processing
Broken Access Control	RBAC, server-side validation
Security Misconfiguration	Hardened configurations, regular audits
Cross-Site Scripting	Output encoding, Content Security Policy
Insecure Deserialisation	Input validation, type checking
Vulnerable Components	Regular patching, dependency scanning
Insufficient Logging	Comprehensive audit logging

6.3 Input Validation

All user input is:

Validated on both client and server side
Sanitised before processing
Encoded before output
Limited in size to prevent DoS

7. Network Security

7.1 Infrastructure Protection

Web Application Firewall (WAF)
DDoS protection and mitigation
Network segmentation between tiers
Intrusion detection systems (IDS)

7.2 Traffic Monitoring

All network traffic is logged
Anomaly detection for unusual patterns
Real-time alerting for suspicious activity
Regular traffic analysis and review

7.3 VPN Access

Administrative access to production systems requires:

VPN connection with strong encryption
MFA authentication
IP whitelisting
Activity logging

8. Monitoring and Logging

8.1 Audit Logging

We maintain comprehensive audit logs including:

User authentication events (login, logout, failures)
Data access and modifications
Administrative actions
Security events

8.2 Log Retention

Log Type	Retention Period
Security events	24 months
Access logs	12 months
Application logs	6 months
Error logs	3 months

8.3 Log Protection

Logs are:

Stored separately from application data
Protected against tampering
Encrypted at rest
Backed up regularly

8.4 Real-Time Monitoring

24/7 automated monitoring
Security Information and Event Management (SIEM)
Immediate alerts for critical events
On-call incident response team

9. Vulnerability Management

9.1 Vulnerability Scanning

Weekly automated vulnerability scans
Immediate scanning after significant changes
Third-party scanning for independent assessment

9.2 Penetration Testing

Annual third-party penetration testing
Additional testing after major releases
Remediation tracking for findings

9.3 Patch Management

Priority	Timeframe
Critical	Within 24 hours
High	Within 7 days
Medium	Within 30 days
Low	Next scheduled maintenance

9.4 Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities.

To report a vulnerability:

Email: support@qualticks.com.au
Include: Description, steps to reproduce, potential impact
We will acknowledge within 48 hours
We aim to remediate critical issues within 7 days

We will:

Not take legal action against good-faith researchers
Work with you to understand and resolve the issue
Credit you in any public disclosure (if desired)

9.5 Third-Party Data Synchronisation Security

Training.gov.au Data Sync:

Data is retrieved via secure API connections from Training.gov.au
Synchronisation occurs on a scheduled basis (typically daily)
Data is validated for format integrity before storage
We do not independently verify the accuracy of source data from Training.gov.au
Synchronisation errors are logged, monitored, and investigated

Data Integrity Limitations:

We rely on the accuracy and currency of source data from Training.gov.au
We do not modify or alter Training.gov.au source data
Data stored in QUALTICKS may not reflect real-time changes to Training.gov.au
Users should verify critical information directly with Training.gov.au

Sync Status:

Failed synchronisations trigger internal alerts for investigation
We do not guarantee successful synchronisation at any particular time
Synchronisation may be delayed or fail due to Training.gov.au availability

10. Incident Response

10.1 Incident Classification

Severity	Description	Response Time
Critical	Active breach, data exfiltration	Immediate
High	Potential breach, critical vulnerability	Within 1 hour
Medium	Security weakness, non-critical vulnerability	Within 4 hours
Low	Minor issue, informational	Within 24 hours

10.2 Response Procedures

Our incident response process:

Detection: Automated or manual identification
Containment: Immediate steps to limit impact
Eradication: Remove threat and close vulnerabilities
Recovery: Restore normal operations
Lessons Learned: Post-incident review and improvements

10.3 Communication

During an incident:

Affected customers notified as soon as practicable
Regular status updates provided
Post-incident report within 30 days

11. Data Breach Notification

11.1 Notifiable Data Breaches Scheme

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

11.2 Assessment Timeline

When we become aware of a potential breach:

Initial assessment: Within 24 hours
Full assessment: Within 30 days
OAIC notification: As soon as practicable after assessment
Individual notification: As soon as practicable after OAIC notification

11.3 Notification Content

Notifications will include:

Description of the data breach
Types of personal information involved
Recommendations for affected individuals
Contact details for further information
Steps we are taking to respond

11.4 Customer Notification

We will notify affected customers via:

Email to registered account addresses
In-app notification
Phone call for high-severity incidents

12. Backup and Recovery

12.1 Backup Schedule

Data Type	Frequency	Retention
Database	Continuous (point-in-time)	30 days
Full snapshot	Daily	30 days
Archives	Monthly	12 months

12.2 Backup Security

All backups are:

Encrypted with AES-256
Stored in geographically separate locations (within Australia)
Tested regularly for integrity
Subject to the same access controls as production data

12.3 Recovery Objectives

Recovery Point Objective (RPO): 1 hour
Recovery Time Objective (RTO): 4 hours

12.4 Disaster Recovery Testing

Full disaster recovery testing conducted annually
Partial recovery tests conducted quarterly
Results documented and improvements implemented

13. Business Continuity

13.1 Availability Target

We target 99.9% uptime, measured monthly, excluding scheduled maintenance.

13.2 Redundancy

Multiple availability zones
Load balancing across servers
Automatic failover for critical components
Geographic redundancy within Australia

13.3 Maintenance Windows

Scheduled maintenance: Sundays 2:00-6:00 AM AEST
Advance notice: Minimum 72 hours
Emergency maintenance: Notification as soon as practicable

14. Vendor Security

14.1 Vendor Assessment

Before engaging third-party vendors, we assess:

Security certifications (SOC 2, ISO 27001)
Data protection practices
Incident response capabilities
Compliance with relevant regulations

14.2 Contractual Requirements

Vendor contracts include:

Data protection obligations
Security requirements
Breach notification obligations
Audit rights

14.3 Key Vendors

Vendor	Purpose	Security
Australian hosting provider	Infrastructure	ISO 27001, SOC 2
HubSpot	CRM	SOC 2, Data Privacy Framework
Payment processor	Payments	PCI DSS Level 1

15. Employee Security

15.1 Background Checks

All employees with access to customer data undergo:

Identity verification
Reference checks
Criminal background checks (where permitted by law)

15.2 Security Training

Security awareness training at onboarding
Annual refresher training
Phishing simulation exercises
Role-specific security training

15.3 Access Termination

When employment ends:

Access revoked immediately
Devices returned and wiped
Accounts disabled
Exit interview conducted

16. Compliance Roadmap

16.1 Current Compliance

Australian Privacy Principles
Notifiable Data Breaches scheme
Industry best practices

16.2 Future Certifications

We are working towards:

ISO 27001 certification
SOC 2 Type II attestation
IRAP assessment (for government customers)

17. Policy Review

This policy is reviewed:

Annually, at minimum
After significant security incidents
When regulations change
When systems significantly change

18. Contact

Security Team RTO MATE PTY LTD

Security Inquiries: support@qualticks.com.au