Overview
ZiplineOS is built security-first for Australian businesses. Customer data is hosted in Australia, encrypted in transit and at rest, and isolated per organisation. This page summarises the controls that protect your data. For data-handling specifics, see our Privacy Policy.
Data residency
All customer data is stored and processed in Australia, in Google Cloud's Sydney region. We do not move customer data offshore for storage.
Encryption
- In transit: all traffic is served over TLS (HTTPS); plain HTTP is redirected to HTTPS. Connections to our databases and between internal services are encrypted.
- At rest: data is encrypted at rest with Google-managed AES-256 encryption across our databases, file storage, and backups.
Multi-tenant isolation
ZiplineOS is multi-tenant, and every organisation's data is logically isolated and scoped to that organisation. Isolation is enforced both in the application and at the database layer through PostgreSQL Row-Level Security, so a request can only ever read or write data belonging to its own organisation.
Authentication and access
- Sign-in is handled through Firebase Authentication with secure, HttpOnly session cookies.
- Multi-factor authentication is supported through your identity provider.
- Internal access to production systems follows least-privilege principles, using dedicated, scoped service identities rather than shared credentials.
Network and application security
- A web application firewall (Google Cloud Armor) inspects inbound traffic and blocks common attacks, including cross-site scripting (XSS) and SQL-injection patterns from the OWASP rule sets.
- Traffic is geo-restricted to our operating regions and rate-limited per client to mitigate abuse and denial-of-service attempts.
- Our databases run on private networking with no public IP address and are not reachable from the internet.
Monitoring, logging, and auditing
We centrally collect application, infrastructure, and audit logs, with automated alerting to our on-call team. Network flow logs and continuous configuration monitoring (Google Security Command Center) give us ongoing visibility into anomalies and misconfigurations.
Secure development and vulnerability management
- Every code change is peer-reviewed before it reaches production, and branch protection is enforced on our main branches.
- Automated dependency scanning continuously checks for known vulnerabilities, which are triaged and remediated on a defined schedule.
- Static and infrastructure scanning run as part of our CI/CD pipeline.
Compliance
ZiplineOS is pursuing SOC 2 compliance, and our security controls are monitored continuously. We handle personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles. The third-party sub-processors we rely on are described in our Privacy Policy.
Business continuity
Customer data is backed up regularly, and we maintain documented disaster-recovery and incident-response procedures that are reviewed and tested.
Responsible disclosure
We welcome reports from security researchers. If you believe you've found a vulnerability, please email security@codenexas.com.au. We will acknowledge your report and work with you on remediation, and we ask that you give us a reasonable opportunity to resolve the issue before any public disclosure.
