Security

Version: v1.0 Effective Date: 1 September 2025 Last Updated: 1 September 2025

Trust Center — Security, privacy, and compliance at Smartta

1. Our Commitment

At Smartplace Pty Ltd ("Smartta"), security is fundamental to everything we build. Our workforce governance platform handles sensitive employee data, compliance records, credential evidence, and payroll information. We take this responsibility seriously and have built our platform with security at every layer.

This page provides an overview of our security practices, compliance programme, and the measures we take to protect your data. If you have specific security questions or require a detailed security assessment, please contact security@smartplace.ai.

2. Compliance

We maintain a rigorous compliance programme aligned with industry standards and regulatory requirements.

SOC 2 Type II

Audit in progress. Covers Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

ISO 27001

Certification planned for 2026. ISMS documentation and controls already established following Annex A control framework.

Penetration Testing

Annual third-party penetration testing of our platform, infrastructure, and APIs. Findings remediated on a risk-prioritised basis.

3. Privacy and Data Processing

We provide comprehensive data protection documentation and contractual safeguards:

  • Data Processing Agreement (DPA): Available for all enterprise customers. Includes Standard Contractual Clauses (SCCs) for international transfers and a UK International Data Transfer Addendum where applicable.
  • Data Usage Framework: Clear policies governing how customer data is used, stored, and protected. Customer data is never used for training models or shared with other customers.
  • Sub-processors: We maintain a current list of sub-processors and notify customers of any changes in advance, providing the opportunity to object.

For full details on our data handling practices, see our Privacy Policy.

4. Product Security

Our platform is designed with defence-in-depth security at every layer.

Authentication

  • Single Sign-On (SSO) via SAML 2.0 and OpenID Connect
  • Multi-Factor Authentication (MFA) support
  • OAuth 2.0 for API authentication
  • Scoped JWT tokens with configurable expiry
  • Brute-force protection and account lockout policies

Authorization

  • Role-Based Access Control (RBAC) with granular permissions
  • Tenant isolation at the database level
  • Identity-Aware Proxy (IAP) for scoped external access
  • Principle of least privilege enforced across all services

Auditing

  • Comprehensive audit logging of all data access and modifications
  • Immutable evidence chain for compliance-critical operations
  • Tamper-evident records with cryptographic integrity checks
  • Configurable audit retention policies per customer

API Security

  • All APIs served over TLS 1.2+ exclusively
  • Rate limiting and throttling on all endpoints
  • Input validation and output encoding
  • CORS policies and CSRF protection
  • API key rotation and scoped access tokens

5. Infrastructure

Our platform is hosted on enterprise-grade cloud infrastructure with multiple layers of protection.

Cloud Hosting

Amazon Web Services (AWS) Sydney region (ap-southeast-2). All customer data resides within Australia unless otherwise agreed.

Network Security

Virtual Private Cloud (VPC) with private subnets, security groups, and network ACLs. No direct public internet access to data stores.

Web Application Firewall

AWS WAF with managed rule sets for OWASP Top 10 protection, bot mitigation, and DDoS defence via AWS Shield.

6. Application Security

We integrate security into every stage of our software development lifecycle:

  • SAST (Static Application Security Testing): Automated code scanning on every pull request to identify vulnerabilities before they reach production.
  • DAST (Dynamic Application Security Testing): Regular automated scanning of running applications to identify runtime vulnerabilities.
  • SCA (Software Composition Analysis): Continuous monitoring of third-party dependencies for known vulnerabilities with automated alerting and remediation tracking.
  • Secure Code Review: All code changes undergo peer review with security considerations as part of the review criteria.
  • Security Training: Regular security awareness training for all engineering staff, including OWASP Top 10 and secure coding practices.

7. Encryption

In Transit

All data transmitted between clients and our services is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and HSTS headers are set on all responses.

Internal service-to-service communication is also encrypted. We support modern cipher suites and regularly rotate certificates.

At Rest

All data at rest is encrypted using AES-256 encryption. Database volumes, backups, and object storage are all encrypted using AWS-managed keys or customer-managed keys (CMK) where requested.

Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation.

8. Identity and Access Management

Access to our production systems is tightly controlled:

  • Production access requires multi-factor authentication and is limited to authorised personnel
  • Privileged access is time-bound, logged, and reviewed regularly
  • Service accounts use the principle of least privilege with scoped permissions
  • Access reviews are conducted quarterly to ensure appropriate access levels
  • Employee offboarding includes immediate revocation of all system access

9. Business Continuity

Our business continuity and disaster recovery plans ensure service availability and data durability.

24h Recovery Time Objective (RTO)

Maximum targeted duration for restoring services following a major disruption. Critical services have shorter individual RTOs.

4h Recovery Point Objective (RPO)

Maximum acceptable data loss window. Continuous replication and regular backups ensure minimal data loss in a disaster scenario.

  • Automated backups with point-in-time recovery capabilities
  • Cross-region backup replication for disaster recovery
  • Regular disaster recovery testing and tabletop exercises
  • Documented runbooks for all recovery procedures

10. Incident Response

We maintain a formal incident response plan that covers identification, containment, eradication, recovery, and lessons learned. Key elements include:

  • 24/7 monitoring and alerting for security events
  • Defined severity levels with corresponding response timelines
  • Dedicated incident response team with clear roles and responsibilities
  • Customer notification within 72 hours for incidents involving customer data, in accordance with GDPR and the Australian Notifiable Data Breaches scheme
  • Post-incident review and root cause analysis for all significant incidents
  • Regular incident response drills and tabletop exercises

11. Third-Party Services

We carefully evaluate and monitor all third-party services that have access to customer data. Our vendor management programme includes:

  • Security assessment prior to onboarding any new vendor
  • Data Processing Agreements with all sub-processors
  • Annual review of vendor security posture and compliance certifications
  • Maintained sub-processor list with advance notification of changes
  • Right to audit provisions in vendor contracts

12. AI/ML Transparency

Where our Services use artificial intelligence or machine learning capabilities, we are committed to transparency:

  • No training on customer data: Customer data is never used to train or improve general-purpose AI/ML models.
  • Deterministic rule engines: Core compliance features (award interpretation, credential validation, care minutes calculations) use deterministic rule engines, not probabilistic AI models. This ensures predictable, auditable, and repeatable outcomes.
  • AI-assisted features: Where AI-assisted features are available (such as natural language queries or document extraction), they are clearly labelled as such and customer data processing remains within the customer's own tenant boundary.
  • Human oversight: Automated outputs are recommendations; Customers retain full control over acting on them.

13. Shared Responsibility Model

Security is a shared responsibility. While we secure the platform, infrastructure, and application layers, our customers play an important role in securing their own use of the Services:

Smartta is responsible for:

  • Securing the platform infrastructure and network
  • Maintaining encryption at rest and in transit
  • Patching and updating platform software
  • Monitoring for and responding to security threats
  • Maintaining compliance certifications
  • Providing security features (SSO, MFA, RBAC, audit logging)

Customers are responsible for:

  • Managing user accounts and access permissions within their tenant
  • Enabling and enforcing MFA for their users
  • Configuring SSO and identity provider integration
  • Protecting their own API keys and credentials
  • Ensuring their authorised users comply with acceptable use policies
  • Reporting suspected security incidents promptly

14. Contact Us

For security questions, to report a vulnerability, or to request a security assessment:

Smartplace Pty Ltd (ACN 639 781 678)

C/- Margetson & Associates, Unit 21, 598-602 Forest Road, Penshurst, NSW 2222, Australia

Related Legal Documents

Privacy Policy Terms of Use Cookie Policy
Back to home