Security you can
present to regulators.
AxionSite is designed from the ground up for Australian workplace safety compliance — not as an afterthought. Key workflow events are recorded with audit history so teams can support internal reviews, investigations and procurement checks.
For IT & Procurement — quick reference
Use this section when evaluating AxionSite for whitelisting, vendor approval, or security questionnaires.
Security questionnaire? Use our contact form — we aim to respond within one business day.
Built for regulators,
not just users.
When things go wrong on site, your records need to be bulletproof. AxionSite is designed for exactly that moment.
Immutable records
Key SWMS acknowledgements and audit events are retained with history so teams can reconstruct important workflow decisions.
Role-based access
Supervisors, operators, and administrators get exactly the access they need. Nothing more.
Data residency in Australia
Australian customer application data is stored in Australian regions as we configure for production. Some ancillary processing may occur offshore; see our Privacy Policy for categories and safeguards.
Full audit trail
Important workflow events are logged with user and timestamp metadata where applicable, supporting internal reviews and investigations.
99.9% uptime SLA
Enterprise plans include a 99.9% uptime SLA with dedicated monitoring and incident response procedures.
Encrypted in transit & at rest
Web traffic is protected with HTTPS/TLS and stored customer data uses cloud-provider encryption at rest. SOC 2 is on the roadmap.
Data handling & retention
| Data type | Storage location | Retention | Encryption |
|---|---|---|---|
| Audit logs & compliance packs | Australia (hosted regions) | 7 years (configurable) | AES-256 at rest |
| Worker signatures | Australia (hosted regions) | 7 years | AES-256 at rest |
| User profiles | Australia (hosted regions) | Until account deletion | AES-256 at rest |
| Exported PDFs | Temporary cloud storage (auto-deleted after 24h) | 24 hours | TLS in transit |
Security architecture
AxionSite runs on a defence-in-depth architecture where every layer — network, application, and data — is independently hardened.
Infrastructure
- Primary customer application data is hosted in Australian regions for Australian customers where configured
- Cloud-hosted architecture designed for availability, monitoring and controlled change management
- Production configuration is reviewed through normal engineering change processes
- Additional hosting and processing details are available for commercial procurement reviews
Network
- Edge and hosting-provider protections are used to reduce common web and availability risks
- HTTPS/TLS protects web traffic in transit, with HSTS on production responses
- HTTP security headers are applied, including CSP, X-Content-Type-Options, Referrer-Policy and Permissions-Policy
- Request-scoped controls limit arbitrary framing while allowing approved deployment preview workflows
Application
- Server-side validation is used on API routes and workflow boundaries
- Role and organisation checks protect customer workspaces and privileged actions
- HTTP-only session cookies use Secure and SameSite attributes in production
- Content Security Policy (CSP) limits browser capabilities and approved third-party endpoints
Authentication
- Authentication uses a managed identity provider with server-verified sessions
- Session cookies are HTTP-only, Secure in production, and paired with server-side session tracking
- Privileged routes and API actions perform server-side authorisation checks
- Multi-factor authentication and SSO options are tracked as roadmap / enterprise requirements
Compliance framework
We maintain alignment with Australian and international regulatory requirements relevant to workplace safety, data protection, and information security.
Australian Privacy Act 1988 (Cth)
Active programmeAxionSite maintains privacy practices aligned to the Australian Privacy Principles, including documented collection, use, disclosure, access, correction and security processes. We collect information needed to provide and improve the service, and handle verified privacy requests through our published privacy process.
SOC 2
Roadmap / readinessSOC 2 is on our security roadmap. We are documenting controls and evidence so enterprise customers can assess our security posture as the product matures. We do not currently claim SOC 2 certification.
ISO 27001
RoadmapISO/IEC 27001 is a roadmap item for a future formal information security management system. Until certification is complete, we describe our implemented controls directly rather than representing AxionSite as ISO certified.
Australian WHS workflow support
ActiveAxionSite is designed to support Australian WHS documentation and record-keeping workflows, including SWMS, sign-ons, hazards, incidents, inspections and audit exports. Outputs still require competent review and do not replace legal or safety advice.
GDPR alignment
ActiveFor customers with international operations, AxionSite maintains GDPR-aligned privacy practices where applicable, including data minimisation, access and deletion workflows, and contractual safeguards for relevant cross-border processing.
HTTP security headers
Every response includes security headers that protect against common web vulnerabilities and satisfy corporate proxy and firewall requirements.
| Header | Value | Purpose |
|---|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Instructs browsers to use HTTPS for future requests |
| Content-Security-Policy | Route-aware policy | Restricts approved script, connection, frame and browser execution contexts |
| X-Content-Type-Options | nosniff | Prevents MIME-type sniffing attacks |
| Content-Security-Policy | upgrade-insecure-requests | Encourages secure resource loading |
| Referrer-Policy | strict-origin-when-cross-origin | Limits referrer information sent to third parties |
| Permissions-Policy | Restricted by feature | Limits access to browser capabilities not needed by the service |
| X-DNS-Prefetch-Control | on | Enables DNS prefetching for performance |
AI processing and subprocessors
AxionSite uses AI to assist with safety documentation. Customer data is handled under our privacy and subprocessor terms, and human review remains part of the workflow.
AI-assisted processing
- API-based inference is used to generate draft safety documentation from customer-provided job context
- We configure AI processing so customer prompts and outputs are not used to train public models where provider terms support that commitment
- Subprocessor and processing summaries are available to commercial customers during procurement
- Photo and document processing is limited to service delivery and retention follows our Privacy Policy
Infrastructure & subprocessors
The Service relies on vetted third parties for hosting, identity, data storage, messaging, payments, and AI inference. Categories, purposes, and regions are summarised in our Privacy Policy. Commercial customers may request a written processing summary or bespoke schedule for procurement; we do not publish a public directory of specific providers here.
Data protection
Your WHS records deserve the same protection as financial data. We apply encryption at every layer and maintain resilient backups that survive regional outages.
Encryption
- Customer data is encrypted at rest using cloud-provider managed encryption
- Web traffic is protected in transit with HTTPS/TLS
- Files and generated exports are stored using provider-backed storage controls
- Additional encryption and key-management requirements can be reviewed for enterprise deployments
Key management
- Key management follows the underlying cloud provider’s managed encryption practices
- Administrative access to production systems is restricted to authorised personnel
- Secrets are managed outside source code and rotated when required
- Customer-specific key-management requirements can be assessed during enterprise procurement
Backup & recovery
- Backup and recovery practices are aligned to the hosting provider’s managed database and storage capabilities
- Operational recovery processes are documented and improved as the service matures
- Enterprise customers can request additional availability and recovery details during procurement
- Business continuity commitments are documented in customer agreements where applicable
Data deletion
- Verified deletion and correction requests are handled through our privacy process
- Deletion is subject to legal, billing, tax, WHS, audit and security retention obligations
- Temporary processing data and generated artifacts are limited where practical
- Deletion confirmations are provided where appropriate for the request and customer agreement
Access control
Every user gets exactly the permissions they need — no more. All access events are logged immutably for audit and investigation.
Role-based access control (RBAC)
| Role | Permissions |
|---|---|
| Member | Access SWMS, exports, and dashboard modules; participate in your organisation’s workflows. Not an on-site job title — that is set per sign-on or SWMS where applicable. |
| Admin | Manage the workspace: team and invites, org settings, billing context, and privileged actions. Distinct from PCBU or site “safety officer” on a job. |
Access policies
- Principle of least privilege enforced — permissions are additive, never inherited by default
- Key access and workflow events are logged with user and timestamp metadata where applicable
- HTTP-only session cookies are paired with server-side session tracking
- Session revocation and membership changes are enforced through server-side checks
- Role-based access within the workspace; admin actions audited
- Administrative features are limited to authorised workspace or platform roles
Incident response
Our incident response plan is aligned with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 and follows the NIST Cybersecurity Framework.
Incident classification
| Priority | Description | Response time |
|---|---|---|
| Critical | Confirmed data breach, complete service outage, or active exploitation | Immediate triage |
| High | Material service degradation, suspected breach, or privilege escalation concern | Prioritised response |
| Medium | Non-critical vulnerability or security event requiring remediation | Scheduled remediation |
| Low | Informational event, policy issue, or minor misconfiguration | Tracked to closure |
Response process
- Confirmed incidents are triaged, contained, investigated and remediated according to severity
- Affected customers are notified where required by law, contract or material impact
- Eligible data breaches are assessed under the Notifiable Data Breaches scheme
- Remediation actions are tracked to closure and reviewed after material incidents
- Incident response procedures are reviewed as the service and customer base mature
Vulnerability management
We proactively identify, assess, and remediate vulnerabilities before they become risks — combining automated tooling with expert-led testing.
Automated scanning
Dependency and application changes are reviewed with automated tooling and engineering checks.
Independent testing
Independent security testing is part of the roadmap as enterprise procurement requirements mature.
Responsible disclosure
Security researchers and customers can report vulnerabilities via our contact form for triage and coordinated remediation.
Patch management
Security updates are prioritised by severity, exploitability and customer impact.
Questions or concerns?
If you have a security question, need procurement documentation, or want to report a vulnerability, contact us via our contact form. We aim to respond to all security enquiries within one business day.