Data Security Policy

At Optible, we're committed to protecting your data through comprehensive technical and organisational security measures. This policy outlines how we secure the data described in our Privacy Policy.

Scope: This document covers our technical security measures, infrastructure protection, and incident response procedures. For information about what data we collect and your privacy rights, please see our Privacy Policy.

1. TECHNICAL SECURITY MEASURES

Data Encryption

• In Transit: HTTPS encryption for all website and API communications, mutual TLS between internal services

• At Rest: AES-256 encryption for all stored personal data

• Key Management: Encrypted backups with separate key management systems

• Database: Encrypted database storage with dedicated access controls

Access Controls

• Authentication: Two-factor authentication required for all system access

• Authorisation: Role-based permissions with principle of least privilege

• User Management: Individual accounts with regular access reviews

• Session Management: Automatic session timeouts and secure session handling

Network Security

• Firewalls: Multi-layered firewall protection with intrusion detection

• Network Segmentation: Isolated networks for different system components

• VPN Access: Secure VPN required for all remote administrative access

• Traffic Monitoring: Real-time monitoring of all network traffic

2. INFRASTRUCTURE SECURITY

Cloud Infrastructure (AWS Australia)

• Location: All data processed and stored in AWS ap-southeast-2 (Sydney)

• Certifications: ISO 27001 and SOC 2 certified infrastructure

• Isolation: Database isolation with dedicated service access controls

• Availability: High availability setup with automated failover

Physical Security

• Data Centres: AWS Australian data centres with multi-layered physical security

• Device Management: Encrypted company devices with remote wipe capability

• Facility Access: Biometric and card-based access controls at AWS facilities

System Hardening

• Operating Systems: Regularly updated and patched server operating systems

• Services: Minimal service installation with unnecessary services disabled

• Configuration: Security-first configuration with regular reviews

3. SECURE DEVELOPMENT PRACTICES

Code Security

• Development Lifecycle: Secure development practices integrated throughout

• Code Reviews: Mandatory peer review for all code changes

• Vulnerability Scanning: Automated scanning for code and dependency vulnerabilities

• Testing: Regular penetration testing and security assessments

Deployment Security

• CI/CD Pipeline: Secure continuous integration and deployment processes

• Environment Separation: Strict separation between development, staging, and production

• Change Management: Controlled deployment procedures with rollback capability

4. DATA PROTECTION CONTROLS

Data Access Limitations

Only authorised Optible staff can access customer data, and only when necessary for:

• Providing AI assessment services

• Technical support and troubleshooting

• System emergencies affecting service availability

• Improving AI models (with anonymisation)

Audit and Monitoring

• Access Logs: Complete audit logs of who accessed what data and when

• Real-time Monitoring: 24/7 automated security monitoring and alerting

• Anomaly Detection: Automated detection of unusual access patterns

• Regular Reviews: Monthly review of access logs and security metrics

Data Retention Controls

• Automated Deletion: Scheduled deletion when retention periods expire

• Secure Deletion: Cryptographic erasure for encrypted data, multi-pass overwriting for unencrypted data

• Verification: Confirmation that data is completely removed from all systems

5. BACKUP AND DISASTER RECOVERY

Backup Procedures

• Frequency: Automated daily backups of all critical data

• Location: Geographic backup replication within Australia

• Security: Encrypted backups with separate key management

• Testing: Regular backup restoration testing

Disaster Recovery

• Recovery Time: Maximum 4-hour recovery time for any data loss incident

• Uptime Guarantee: 99% system availability

• Testing: Regular disaster recovery drills and procedure updates

• Documentation: Comprehensive disaster recovery runbooks

6. THIRD-PARTY SECURITY

Vendor Management

• Due Diligence: Security assessments for all third-party services

• Agreements: Data Processing Agreements covering GDPR requirements

• Monitoring: Continuous monitoring of vendor security compliance

• Standards: All vendors must meet our security and privacy standards

Key Service Providers

• AWS: ISO 27001 and SOC 2 certified infrastructure provider

• Payment Processors: PCI-DSS compliant billing services

• Email Services: Secure email providers with data processing agreements

7. SECURITY INCIDENT RESPONSE

Incident Detection

• Monitoring: 24/7 automated security monitoring and alerting

• Response Time: Immediate containment and investigation (within 1 hour)

• Assessment: Risk assessment to determine personal data impact

Notification Procedures

• Regulators: Notification to privacy regulators within 72 hours if required

• Individuals: Direct notification within 72 hours if high risk to rights and freedoms

• Customers: Immediate notification to affected customers with details and remediation steps

High Risk Situations

• Financial information compromised

• Identity theft risk

• Sensitive personal data exposed

• Large-scale data exposure

Post-Incident

• Investigation: Thorough analysis of root causes

• Remediation: Implementation of preventive measures

• Documentation: Detailed incident records for regulatory compliance

• Review: Regular analysis of incidents to improve security

8. STAFF SECURITY TRAINING

All Staff Training

• Initial Training: Comprehensive data protection and security training for new staff

• Annual Updates: Regular refresher training on privacy and security requirements

• Threat Awareness: Updates on emerging security threats and best practices

• Incident Response: Training on recognising and reporting security incidents

Technical Staff Training

• Advanced Security: Specialised training for system administrators

• Incident Response: Regular incident response drills and simulations

• AI Ethics: Responsible AI development and deployment training

• Compliance: Regular updates on regulatory requirements

9. MONITORING AND COMPLIANCE

Continuous Monitoring

• Security Metrics: Real-time dashboards for security key performance indicators

• Vulnerability Management: Regular scanning and patching of systems

• Access Reviews: Quarterly review of user access and permissions

• Compliance Checks: Automated compliance monitoring tools

Regular Assessments

• Internal Audits: Quarterly internal security and compliance assessments

• External Audits: Annual third-party security audits and penetration testing

• Risk Assessments: Regular evaluation of security risks and controls

• Policy Reviews: Annual review and update of security policies

Documentation and Records

• Security Documentation: Comprehensive records of all security measures

• Incident Records: Detailed logs of all security incidents and responses

• Compliance Evidence: Documentation demonstrating regulatory compliance

• Change Records: Complete audit trail of system and policy changes

10. CONTACT INFORMATION

Security Incidents: security@optible.ai
General Security Questions: support@optible.ai
Privacy Matters: privacy@optible.ai

Business Address: Stone & Chalk, Lot Fourteen, North Terrace, Adelaide, SA 5000, Australia

Emergency Contact: For urgent security matters outside business hours, contact security@optible.ai with "URGENT SECURITY" in the subject line.

This policy is reviewed annually and updated as needed. We'll notify customers of any material changes that affect our security measures. For questions about what data we collect and your privacy rights, please refer to our Privacy Policy.