Security you can
present to regulators.
AxionSite is designed from the ground up for Australian workplace safety compliance — not as an afterthought. Every record is tamper-evident, every access is logged.
For IT & Procurement — quick reference
Use this section when evaluating AxionSite for whitelisting, vendor approval, or security questionnaires.
Security questionnaire? Use our contact form — we respond within one business day.
Built for regulators,
not just users.
When things go wrong on site, your records need to be bulletproof. AxionSite is designed for exactly that moment.
Immutable records
Permit sign-offs and audit events are write-once. No edits, no deletions — complete chain of custody for every task.
Role-based access
Supervisors, operators, and administrators get exactly the access they need. Nothing more.
Data residency in Australia
All Australian customer data is stored on servers in Australia. No cross-border data transfer for AU primary data.
Full audit trail
Every login, signature, export, and change is logged with timestamp, user ID, and IP. Exportable for investigations.
99.9% uptime SLA
Enterprise plans include a 99.9% uptime SLA with dedicated monitoring and incident response procedures.
Encrypted in transit & at rest
TLS 1.3 in transit. AES-256 at rest. SOC 2 Type II audit in progress (target Q4 2026).
Data handling & retention
| Data type | Storage location | Retention | Encryption |
|---|---|---|---|
| Audit logs & permits | Australia (Google Cloud / Firebase) | 7 years (configurable) | AES-256 at rest |
| Worker signatures | Australia (Google Cloud / Firebase) | 7 years | AES-256 at rest |
| User profiles | Australia (Google Cloud / Firebase) | Until account deletion | AES-256 at rest |
| Exported PDFs | Temporary cloud storage (auto-deleted after 24h) | 24 hours | TLS in transit |
Security architecture
AxionSite runs on a defence-in-depth architecture where every layer — network, application, and data — is independently hardened.
Infrastructure
- Hosted on Google Cloud in Australian regions (Firebase) — primary customer data remains in Australia
- High availability and redundancy within Google Cloud’s Australian infrastructure
- Elastic scaling for predictable latency under load
- Infrastructure as Code (Terraform) with peer-reviewed change management
Network
- Web application firewall rules at the edge (OWASP Top 10, known bad inputs, IP reputation)
- DDoS protection at the edge via our hosting and cloud providers
- TLS 1.3 enforced on all endpoints — TLS 1.0/1.1 disabled, HSTS preloaded (2-year max-age)
- Certificate pinning for mobile clients; Certificate Transparency monitoring
- HTTP security headers on every response: X-Frame-Options, X-Content-Type-Options, CSP upgrade-insecure-requests, Permissions-Policy
Application
- Strict input validation and output encoding on every API boundary
- Parameterised queries exclusively — no string concatenation in database calls
- CSRF tokens on all state-changing operations with SameSite cookie attributes
- Content Security Policy (CSP) headers restricting script sources and inline execution
Authentication
- Bcrypt password hashing with per-user salts (cost factor 12)
- Secure session management with HTTP-only, Secure, SameSite=Strict cookies
- Account lockout after 5 failed attempts with exponential back-off
- Multi-factor authentication support planned for Q3 2026 roadmap
Compliance framework
We maintain alignment with Australian and international regulatory requirements relevant to workplace safety, data protection, and information security.
Australian Privacy Act 1988 (Cth)
CompliantAxionSite is fully compliant with the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988. This covers collection, use, disclosure, quality, and security of personal information. We maintain an up-to-date APP privacy policy, respond to access and correction requests within 30 days, and only collect information reasonably necessary for WHS document generation and management.
SOC 2 Type II
In preparation — target Q4 2026SOC 2 Type II evaluates both the design and operational effectiveness of controls over a 3–12 month observation period, across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. We are currently documenting controls, implementing continuous monitoring, and engaging an independent CPA firm to conduct the audit. Type II certification demonstrates sustained compliance rather than a point-in-time assessment.
ISO 27001
Roadmap — target 2027ISO/IEC 27001 is the internationally recognised standard for Information Security Management Systems (ISMS). The 2022 revision includes 93 controls organised across four themes: organisational, people, physical, and technological. We are building our ISMS documentation and control catalogue aligned to Annex A requirements, with formal certification targeted for 2027 through an accredited certification body.
WHS Regulation 2011 alignment
ActiveAll documents generated by AxionSite are aligned to Safe Work Australia Model Codes of Practice and the harmonised Work Health and Safety Act 2011 / WHS Regulation 2017. This includes SWMS, JSAs, risk assessments, and permit-to-work documents that meet the duty of care obligations under sections 17–19 of the WHS Act. Outputs are reviewed quarterly against regulatory updates from Safe Work Australia.
GDPR alignment
ActiveFor organisations with international operations or workers located in the EU/EEA, AxionSite maintains alignment with the General Data Protection Regulation. This includes lawful basis documentation, data minimisation, right to erasure (Article 17), data portability (Article 20), and Data Protection Impact Assessments for high-risk processing. Our Terms of Service include Standard Contractual Clauses for any cross-border data transfers.
HTTP security headers
Every response includes security headers that protect against common web vulnerabilities and satisfy corporate proxy and firewall requirements.
| Header | Value | Purpose |
|---|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Forces HTTPS for 2 years; HSTS preload list eligible |
| X-Frame-Options | DENY | Prevents clickjacking; blocks embedding in iframes |
| X-Content-Type-Options | nosniff | Prevents MIME-type sniffing attacks |
| Content-Security-Policy | upgrade-insecure-requests | Upgrades HTTP resource requests to HTTPS |
| Referrer-Policy | strict-origin-when-cross-origin | Limits referrer information sent to third parties |
| Permissions-Policy | camera=(self), microphone=(), geolocation=() | Restricts browser features; camera allowed for photo hazard tool |
| X-DNS-Prefetch-Control | on | Enables DNS prefetching for performance |
AI processing and subprocessors
AxionSite uses AI to generate compliance documents. All processing is transparent, with no training on customer data and Australian data residency where applicable.
AI processing (OpenAI)
- API-based; no persistent storage of prompts or outputs on OpenAI infrastructure for our use case
- OpenAI API data processing: Enterprise Privacy; we do not use models trained on customer data
- Task descriptions and generated outputs are processed in-memory; stored records remain in Australia
- Photo hazard analysis: images sent to OpenAI Vision API; not used for model training per OpenAI policy
Infrastructure subprocessors
| Vendor | Purpose | Region |
|---|---|---|
| Vercel | Hosting, CDN, serverless functions | Global (edge); origin Australia |
| Google LLC (Firebase / Google Cloud) | Database, auth, storage, backend (Australian regions) | Australia |
| OpenAI | AI document generation, image analysis | US (API only; no data retention) |
| Stripe | Payment processing | AU / global |
| Resend | Transactional email | US (email delivery) |
Full subprocessor list in our Data Processing Agreement. See our Privacy Policy for data handling details.
Data protection
Your WHS records deserve the same protection as financial data. We apply encryption at every layer and maintain resilient backups that survive regional outages.
Encryption
- AES-256 encryption at rest for all stored data, including database fields, file attachments, and backups
- TLS 1.3 for all data in transit — enforced via HSTS with a minimum max-age of one year
- Encryption at rest for databases and files using Google Cloud default encryption
- Client-side encryption available for enterprise plans (bring your own key)
Key management
- Google Cloud Key Management Service (KMS) for key lifecycle management
- Automatic key rotation every 365 days with no service interruption
- Hardware Security Module (HSM)-backed key storage (FIPS 140-2 Level 3)
- Separate encryption keys per tenant for enterprise deployments
Backup & recovery
- Daily encrypted backups with point-in-time recovery within a 30-day window
- Geographic redundancy and backup retention in line with Google Cloud practices
- Recovery Time Objective (RTO) of 4 hours; Recovery Point Objective (RPO) of 1 hour
- Backup restoration tested quarterly with documented run-books
Data deletion
- Right to erasure honoured within 30 days of verified request (APP 13 & GDPR Article 17)
- Cryptographic erasure for storage media — encryption keys are destroyed, rendering data irrecoverable
- Automated purge of temporary processing data within 24 hours
- Deletion confirmation certificate issued to the requesting party
Access control
Every user gets exactly the permissions they need — no more. All access events are logged immutably for audit and investigation.
Role-based access control (RBAC)
| Role | Permissions |
|---|---|
| Operator | View assigned tasks, sign off on permits, submit hazard reports |
| Supervisor | Create SWMS/JSAs, assign tasks, approve permits, view team audit logs |
| Safety Officer | Full read access to all records, generate compliance reports, manage workflows |
| Admin | User management, billing, organisation settings, API key management |
Access policies
- Principle of least privilege enforced — permissions are additive, never inherited by default
- All access events logged with IP address, timestamp, user ID, and action performed
- Session timeout after 30 minutes of inactivity; hard session limit of 12 hours
- Concurrent session limits — maximum two active sessions per user account
- API keys scoped to specific resources with configurable expiration
- Admin actions require re-authentication within a 5-minute window
Incident response
Our incident response plan is aligned with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 and follows the NIST Cybersecurity Framework.
Incident classification
| Priority | Description | Response time |
|---|---|---|
| P1 — Critical | Confirmed data breach, complete service outage, active exploitation | ≤ 1 hour |
| P2 — High | Partial service degradation, suspected breach, privilege escalation attempt | ≤ 4 hours |
| P3 — Medium | Failed intrusion attempt, non-critical vulnerability discovered | ≤ 24 hours |
| P4 — Low | Policy violation, informational security event, minor misconfiguration | ≤ 72 hours |
Response process
- 24-hour notification to affected customers for confirmed security incidents, aligned with the NDB scheme
- Dedicated incident commander assigned within 30 minutes of P1/P2 classification
- Post-incident review (PIR) conducted within 5 business days with root cause analysis
- Remediation actions tracked to completion with executive sign-off
- Notification to the Office of the Australian Information Commissioner (OAIC) within 30 days for eligible data breaches per s26WH of the Privacy Act
- Annual tabletop exercises simulating breach scenarios to validate response procedures
Vulnerability management
We proactively identify, assess, and remediate vulnerabilities before they become risks — combining automated tooling with expert-led testing.
Automated scanning
Dependabot and Snyk run on every pull request, blocking merges that introduce known CVEs. Container images scanned with Trivy on each build.
Penetration testing
Quarterly penetration tests planned with an independent CREST-accredited firm. Scope includes web application, API, and infrastructure layers.
Responsible disclosure
Security researchers can report vulnerabilities via our contact form. We acknowledge reports within 48 hours and provide remediation updates within 14 days.
Patch management
Critical vulnerabilities (CVSS ≥ 9.0) patched within 48 hours. High (CVSS 7.0–8.9) within 14 days. All others within 90 days. Emergency patching process for zero-day exploits.
Questions or concerns?
If you have a security question, want to request our latest SOC 2 readiness report, or need to report a vulnerability, contact us via our contact form. We aim to respond to all security enquiries within one business day.